Snort mailing list archives
Re: Snort 2.9.6 doesn't alert using subscribed VRT ruleset but with ETOpen
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 4 Apr 2014 17:14:30 +0000
Have you tried: https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md Rule 2100498 is a copy of the VRT rule sid:498. It’s disabled by default in the ruleset, so you may have to enable it (notice that we don’t enable everything by default) -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team On Apr 4, 2014, at 7:42 AM, ped () gmx it<mailto:ped () gmx it> wrote: I have subscribed to Snort VRT and received the latest rule set (snortrules-snapshot-2956.tar.gz), I installed snort from source using (http://www.snort.org/assets/158/snortinstallguide293.pdf) guide for Ubuntu 12.04 LTS. I found snort does not alert on sample malicious requests i.e. DT to ../../../etc/passwd, curl www.testmyids.com<http://www.testmyids.com>, portscan using VRT ruleset. So then I added ETOpen ruleset and it started to alert on the above requests (curl www.testmyids.com<http://www.testmyids.com>, sample ping in local.rules, DNS attack): 04/03-11:32:47.780946 [**] [1:2100498:8] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} X.X.X.X:80 -> Y.Y.Y.Y:44591 04/03-11:47:28.034106 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} X.X.X.X -> Y.Y.Y.Y 04/03-12:01:12.771472 [**] [1:2016016:6] ET CURRENT_EVENTS DNS Amplification Attack Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} X.X.X.X:39613 -> Y.Y.Y.Y:53 As it is a first time I am using VRT (I used ET before and worked quite well), [*] is this a normal behavior not to alert on the above events? [*] if not, is there any configuration I need to set for VRT to work? here is my snort.conf [https://clbin.com/B8Ikl] Ped ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.9.6 doesn't alert using subscribed VRT ruleset but with ETOpen ped (Apr 04)
- Re: Snort 2.9.6 doesn't alert using subscribed VRT ruleset but with ETOpen Joel Esler (jesler) (Apr 04)