Snort mailing list archives
Re: RE : Snort won't generate alerts with single snort.rules file
From: Anacleto Junior <suporte.anacleto () gmail com>
Date: Thu, 6 Mar 2014 11:26:47 -0300
2014-02-28 14:46 GMT-03:00 rmkml <rmkml () yahoo fr>:
Hi Anacleto, Could you try with disabling cksum verification please? ( -k none )
I tried with this command: /usr/local/bin/snort -A console -k none -u snort -g snort -c /etc/snort/eth1/snort_eth1.conf -i eth1 And I still don't get any alerts logged...
Regards
@Rmkml
-------- Message d'origine --------
De : Anacleto Junior <suporte.anacleto () gmail com>
Date :
A : snort-users () lists sourceforge net
Objet : [Snort-users] Snort won't generate alerts with single snort.rules
file
Hi everyone,
Sorry for the poor english but I will try my best. I will describe my
problems after upgrading Snort rules.
Debian Linux 6.0.8 (kernel 2.6.32-5 x86_64)
Snort version: Version 2.9.6.0 GRE (Build 47)
Snort rules version: 2.9.6.0
pulledpork 0.7.0
barnyard2 2.1.13 build 327
I was using Snort v.2.9.5.6 with snortrules-snapshot-2956 for a good time.
I have upgraded to the latest version available and some issues occurred.
If this is not the right place for asking, sorry for this. I will
appreciate if someone can point me the right place to ask.
When I run snort with this command:
/usr/local/bin/snort -A console -u snort -g snort -c
/etc/snort/eth1/snort_eth1.conf -i eth1
I can't get alerts and none events are registered. This is the output
after I finish him (ctrl+c):
I got some errors like:
WARNING: /etc/snort/rules/snort.rules(15678) GID 1 SID 24017 in rule
duplicates previous rule. Ignoring old rule.
But it moves on...
4539 Snort rules read (so I assume it is reading the
4208 detection rules
0 decoder rules
4 preprocessor rules
4212 Option Chains linked into 185 Chain Headers
0 Dynamic rules
Snort ran for 0 days 0 hours 3 minutes 10 seconds
Pkts/min: 39481
Pkts/sec: 623
Packet I/O Totals:
Received: 118443
Analyzed: 118443 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
Breakdown by protocol (includes rebuilt packets):
Eth: 118567 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 118567 (100.000%)
Frag: 0 ( 0.000%)
ICMP: 411 ( 0.347%)
UDP: 4682 ( 3.949%)
TCP: 111664 ( 94.178%)
Here's the problem, this is the info that got me concerned:
===============================================================================
*Action Stats: Alerts: 0 ( 0.000%) Logged:
0 ( 0.000%) Passed: 0 ( 0.000%)*
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 0
Verdicts:
Allow: 82225 ( 69.422%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 36218 ( 30.578%)
Blacklist: 0 ( 0.000%)
Ignore: 0 ( 0.000%)
All of this traffic was not even registered. I think that I was supposed
to get some alerts because of having a single file with all rules
(pulledpork rule management). Isn't suppose to activate all rules by
default?
This is my snort.conf file:
http://pastebin.com/YWABcKsF
Thanks in advance.
--
Anacleto Júnior
Analista de TI e Redes
Linux User: #447388
-- Anacleto Júnior Analista de TI e Redes Linux User: #447388
------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: RE : Snort won't generate alerts with single snort.rules file Anacleto Junior (Mar 06)