Snort mailing list archives
Re: default snort rules
From: Abhijit Tikekar <abhijittikekar () gmail com>
Date: Thu, 10 Jul 2014 13:48:55 -0400
yes, tcpdump -i eth2 does see the entire scan traffic. The command for "rules read" doesn't return anything. So, when I checked just for "rules", got the following, being repeated each time snort starts. Jul 10 12:24:53 snort[41325]: Parsing Rules file "/etc/snort/snort.conf" Jul 10 12:24:53 snort[41325]: Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules... Jul 10 12:24:53 snort[41325]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules. Jul 10 12:24:53 snort[41325]: Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules output plugin is following: # unified2 # Recommended for most installs *output unified2: filename snort.log, limit 128* [Noticed that extension in output is *.log, instead of *.u2. Could that be an issue?] Verified that rule path is correct: *var RULE_PATH /etc/snort/rules* Also, all these rules are un-commented in the conf file. Thanks, Abhi On Thu, Jul 10, 2014 at 12:52 PM, Jeremy Hoel <jthoel () gmail com> wrote:
do you have those rules loaded? if you tcpdump -i eth2, do you see the scan traffic? cat /var/log/messages |grep snort |grep -i "rules read" How man rules are you loading. what are your output options in your snort.conf file? output unified2: filename snort.u2, limit 128 output alert_syslog: LOG_LOCAL6 LOG_ALERT something like that? On Thu, Jul 10, 2014 at 4:37 PM, Abhijit Tikekar <abhijittikekar () gmail comwrote:The $OPTION script and the value in daemon line were missing in snortd. Added those and now I can see the options being used. snort 41331 0.5 3.3 579460 269956 ? Ssl 12:25 0:02 /usr/sbin/snort -d -D -i eth2 -u snort -g snort* -k none* -c /etc/snort/snort.conf -l /var/log/snort/eth2 But no change in snort behavior yet. Started another full scan, included options like DOS, Fragmented packets, bad traffic.. nothing recorded in snort.log. Thanks, Abhi On Thu, Jul 10, 2014 at 12:15 PM, Jeremy Hoel <jthoel () gmail com> wrote:Humm.. the options should show on the command line when invoked. Did you install snort via tarball or some rpm? Near the top of the init script i have for snort I see: # Source function library. . /etc/rc.d/init.d/functions # Source the local configuration file . /etc/sysconfig/snort # Convert the /etc/sysconfig/snort settings to something snort can # use on the startup line. if [ "$OPTIONS"X = "X" ]; then OPTIONS="$OPTIONS" fi do you have that in yours? Then further down, during the case commands, you should see $OPTIONS in the line with daemon On Thu, Jul 10, 2014 at 4:07 PM, Abhijit Tikekar < abhijittikekar () gmail com> wrote:Added OPTIONS=" -k none" towards end of /sysconfig/snort and restarted. No errors, but process still doesn't show any new flag, does that look okay? snort 40088 0.3 3.1 579436 254884 ? Ssl 11:54 0:00 /usr/sbin/snort -d -D -i eth2 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth2 Re ran the scan.. no activity in snort. The latest snort.log.TIMESTAMP file stays at 0 bytes. Thanks, Abhi On Thu, Jul 10, 2014 at 11:33 AM, Jeremy Hoel <jthoel () gmail com> wrote:in /etc/sysconfig/snort at the bottom is OPTIONS=" " add the -k there. If it's not there, add it and that should work and should be picked up from the init script. ie: OPTIONS=" -k none " On Thu, Jul 10, 2014 at 3:24 PM, Abhijit Tikekar < abhijittikekar () gmail com> wrote:Thanks for the responses. I checked the current snort instance.. it's not running with "-k none".. snort 37452 0.3 3.3 579264 273292 ? Ssl 10:47 0:05 /usr/sbin/snort -d -D -i eth2 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth2 How do I add "-k none" option in the daemon mode? It wasn't there under /etc/sysconfig/snort Although, I did find "config checksum_mode: all" under snort.conf.. I changed it from "all" to "none" [ Is this the same as adding -k none? ] restarted snortd but it still cannot see any scans from pytbull. Verified using tcpdump that traffic from pytbull is coming to the interface, and if I edit icmp.rules and add a test "any any" rule, then it start detecting all icmp packets as "DELETED ICMP Source Quench".. but nothing else. Not sure if it's a missing snort config param or if the default rules are not tailored for something like pytbull. Thanks, Abhi On Tue, Jul 8, 2014 at 6:19 PM, Joel Esler (jesler) <jesler () cisco comwrote:On Jul 8, 2014, at 2:27 PM, Abhijit Tikekar < abhijittikekar () gmail com> wrote: I am a new snort user. Current implementation is snort-2.9.6.1 on CentOS 6.4 along with barnyard and snorby. My question is regarding the ruleset which I downloaded as a registered user. Many of the rule files are empty, e.g, icmp.rules, or ddos.rules. Are these supposed to be empty? Yes, these rules have transitioned to new categories per the policy realignment. The reason I am asking is because when I used pytbull against snort to test, snort.log never recorded anything. When I add a test icmp rule(alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;), then only that is captured by snort, nothing else. How much tuning should I do to my default snort ruleset before noticing any alerts by scans from pytbull etc? Is the default snort implementation capable of detecting such attacks? I enabled all options in pytbull while scanning, e.g. Fragmented packets, brute force, shellcodes, DOS etc.. Ruleset used: *snortrules-snapshot-2961.tar.gz* having not tested pytbull myself successfully, id say take a look at the Snort faq. https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md -- *Joel Esler* Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort additional-downloads dead link, (continued)
- Re: Snort additional-downloads dead link Juan Jesus Prieto (Jul 08)
- Re: Snort additional-downloads dead link Jason (Jul 08)
- Re: default snort rules waldo kitty (Jul 08)
- Re: default snort rules Joel Esler (jesler) (Jul 08)
- Re: default snort rules Abhijit Tikekar (Jul 10)
- Re: default snort rules Jeremy Hoel (Jul 10)
- Re: default snort rules Abhijit Tikekar (Jul 10)
- Re: default snort rules Jeremy Hoel (Jul 10)
- Re: default snort rules Abhijit Tikekar (Jul 10)
- Re: default snort rules Jeremy Hoel (Jul 10)
- Re: default snort rules Abhijit Tikekar (Jul 10)
- Re: default snort rules Abhijit Tikekar (Jul 15)
- Re: default snort rules Abhijit Tikekar (Jul 10)