Snort mailing list archives
Snort Rules 2940 Problem
From: Yeison Camargo <yjcb22 () gmail com>
Date: Mon, 4 Feb 2013 23:40:59 -0500
Hi all, Im having a problem with snort 2.9.4 and snortrules-snapshot-2940.tar.gz I've installed it in a centos 6.3 everything works perfect. (Snort+barnyard2+unified2+syslog+alert). But when i make a port scan with zenmap (nmap gui). It doesn't show anything. I test creating a rule in /etc/snort/rules/local.rules: alert icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000001;) So when i ping to the snort machine It generates the alerts. Then Snort is reading the rules and the rule path is OK. I don't know what else to do. I also configured pulledpork. I thought i had a problem with my rules configuration but it doesn't work either. Before installing snortrules-snapshot-2940.tar.gz I installed the snortrules-snapshot-2931.tar.gz, which doest recognize port scan but it generates an alert when i did: ping 172.16.10.16 -b -n -p "7569643d3028726f6f74290a". But now, it does generates alerts with this ping. Is there a problem with 2940 rules or do i have a problem with the rules configuration? (which is more likely. But i don't know what is the problem!!). Thanks in advance. SNORT.CONF: var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules # site specific rules include $RULE_PATH/local.rules include $RULE_PATH/app-detect.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/blacklist.rules include $RULE_PATH/botnet-cnc.rules . . . [ ]# pwd /etc/snort [ ]# ls classification.config gen-msg.map reference.config sid-msg.map snort.conf.bak threshold.conf etc preproc_rules rules snort.conf so_rules unicode.map --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.4 GRE (Build 40) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.17 <Build 18> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Commencing packet processing (pid=8114) -- YEISON JULIAN CAMARGO Cisco Systems CCNA Cisco Systems CCNA Security Microsoft MTA Windows Server Administration Microsoft MTA Security Microsoft MTA Networking IPv6 Hurricane Electric SAGE
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Rules 2940 Problem Yeison Camargo (Feb 04)