Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort even though working properly does not report majority of rules

From: Henry Collins <hcol1987 () gmail com>
Date: Mon, 16 Feb 2015 15:42:32 +0100
I have installed Snort 2.9.7.0 and it does not detect majority of attacks,
such as nmap port scans, downloading exe files, opening documents
containing keyword "root".

I use Snort together with Pulled Pork and Barnyard2. Everything seems to
function and I can see alerts on the website that is powered by BASE.

The problem is that I can only trigger 3 different alerts. Everything else
is simply not detected. I want obviously to be able to get alerts when
someone performs port scanning, trying to attempt to perform DDOS attack
and so on. This I cannot trigger. Do I have to enable something
somewhere?...

I have made my own local.rules file, which contains a single rule -
monitoring of ICMP echo packets.

Pulled Pork does show that it has downloaded over 20000 rules and over 5000
rules are enabled. This can be seen in snort.rules file, which I included
in snort.conf file.

The 3 alerts I am able to trigger are:

stream5: TCP Small Segment Threshold Exceeded (this is due to my old Win
SCP client)
ssh: Protocol mismatch (this is due to my old Putty client)
ICMP test (my own rule from local.rules)

My snort.conf can be found on the following website (had to move it there,
because i reached max chars list): https://paste.ee/p/RTUgY

My pulledpork.conf can be found on the following website:
https://paste.ee/p/ixZqW

My local.rules looks like this (which does work):

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;

rev:001;)



What is strange is that last Friday, Snort suddenly started to work and
used Pulled Pork's rules. However, currently, when I am writing this, it
doesn't work anymore. I tried to reinstall Snort, Barnyard2 and everything
else on a completely fresh Linux computer. It didn't help.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: