Snort mailing list archives
Snort Rules 2940 Problem
From: Yeison Camargo <yjcb22 () gmail com>
Date: Mon, 4 Feb 2013 23:40:59 -0500
Hi all,
Im having a problem with snort 2.9.4 and snortrules-snapshot-2940.tar.gz
I've installed it in a centos 6.3 everything works perfect.
(Snort+barnyard2+unified2+syslog+alert). But when i make a port scan with
zenmap (nmap gui). It doesn't show anything. I test creating a rule in
/etc/snort/rules/local.rules:
alert icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000001;)
So when i ping to the snort machine It generates the alerts. Then Snort is
reading the rules and the rule path is OK.
I don't know what else to do. I also configured pulledpork. I thought i had
a problem with my rules configuration but it doesn't work either.
Before installing snortrules-snapshot-2940.tar.gz I installed
the snortrules-snapshot-2931.tar.gz, which doest recognize port scan but it
generates an alert when i did: ping 172.16.10.16 -b -n -p
"7569643d3028726f6f74290a". But now, it does generates alerts with this
ping.
Is there a problem with 2940 rules or do i have a problem with the rules
configuration? (which is more likely. But i don't know what is the
problem!!).
Thanks in advance.
SNORT.CONF:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
# site specific rules
include $RULE_PATH/local.rules
include $RULE_PATH/app-detect.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/blacklist.rules
include $RULE_PATH/botnet-cnc.rules
.
.
.
[ ]# pwd
/etc/snort
[ ]# ls
classification.config gen-msg.map reference.config sid-msg.map
snort.conf.bak threshold.conf
etc preproc_rules rules snort.conf
so_rules unicode.map
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.4 GRE (Build 40)
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.0.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.17 <Build 18>
Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
Preprocessor Object: SF_SIP Version 1.1 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Commencing packet processing (pid=8114)
--
YEISON JULIAN CAMARGO
Cisco Systems CCNA
Cisco Systems CCNA Security
Microsoft MTA Windows Server Administration
Microsoft MTA Security
Microsoft MTA Networking
IPv6 Hurricane Electric SAGE
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Rules 2940 Problem Yeison Camargo (Feb 04)