Snort mailing list archives
Re: questions about snort behavior
From: Tomas Hajek <hajek () oakland edu>
Date: Wed, 15 Apr 2015 08:56:23 -0400
Although I am new to snort as well I might be able to answer a part of this. If you are capturing on en0 and you ping localhost those are not the same interfaces so snort is not going to see this. localhost is lo and most if not all traffic to localhost ( or 127.0.0.1 ) never hits the network. On Wed, Apr 15, 2015 at 7:46 AM, May Smith <may24x () yahoo com> wrote:
Hi all, I'm pretty new to snort and have managed to deploy it along with barnyard2 and Snorby on a test VM (CentOS7 64Bit) Now it's time to configure the components so they'll work together. starting with snort, I realized some strange behaviors, which I'm unsure are fault or feature ... ;) My config regarding the Networ-to-monitor is: # Setup the network addresses you are protecting ipvar HOME_NET 192.168.187.130/30 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET I've another (virtual) machine listening to 192.168.178.135 and - for testing purposes - created the following rules: alert tcp any any -> any 22 (msg:"ssh access";sid:1000003;) alert icmp 192.168.187.130 any -> any any (msg:"pings detected";sid:1000002;) (for testing) my command line to start snort is: snort -A console -i eno16777736 -u snort -g snort -c /etc/snort/snort.conf 1. when I ping 'localhost', host is reachable but snort recognize nothing. 2. when I ping 192.168.187.135, host is reachable but snort recognize nothing. 3. when I ping google.com host is reachable and snort shows: 04/15-07:34:46.978754 [**] [1:1000002:0] pings detected [**] [Priority: 0] {ICMP} 192.168.187.130 -> 98.138.253.109 Why ? Almost the same behavior with ssh. localhost and 192.168.187.135 doesn't show anything. Loggin to another host ... fist doesn't show anything ... but when the session is closed, I see: 04/15-07:37:20.656375 [**] [1:1000003:0] ssh access [**] [Priority: 0] {TCP} 192.168.187.130:33760 -> xxx.xxx.xxx.xxx:22 I'd expected that snort would alert the moment someone triggers a ssh connection ... and not to wait until the ssh session is closed ! I've enabled unified logging in /etc/snort/snort.conf, but all I see in /var/log snort is: /var/log/snort > ls -la drwxr-xr-x 2 snort snort 34 15. Apr 07:28 . drwxr-xr-x. 23 root root 4096 15. Apr 06:24 .. -rw-r--r-- 1 snort snort 0 15. Apr 06:24 alert -rw------- 1 snort snort 0 15. Apr 07:37 snort.log Why ? config entries are: # unified2 # Recommended for most installs output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types # Additional configuration for specific types of installs output alert_unified2: filename snort.alert, limit 128, nostamp output log_unified2: filename snort.log, limit 128, nostamp can you help me out ? regards May ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Tomas Hajek hajek () oakland edu 1-248-370-3505 Senior Linux Systems Engineer University Technology Services Oakland University
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- questions about snort behavior May Smith (Apr 15)
- Re: questions about snort behavior Tomas Hajek (Apr 15)
- Re: questions about snort behavior Al Lewis (allewi) (Apr 15)