Snort mailing list archives

Re: questions about snort behavior

From: Tomas Hajek <hajek () oakland edu>
Date: Wed, 15 Apr 2015 08:56:23 -0400

Although I am new to snort as well I might be able to answer a part of
this.  If you are capturing on en0 and you ping localhost those are not the
same interfaces so snort is not going to see this.  localhost is lo and
most if not all traffic to localhost ( or 127.0.0.1 ) never hits the
network.


On Wed, Apr 15, 2015 at 7:46 AM, May Smith <may24x () yahoo com> wrote:

Hi all,

I'm pretty new to snort and have managed to deploy it along with barnyard2
and Snorby on a test VM (CentOS7 64Bit)
Now it's time to configure the components so they'll work together.

starting with snort, I realized some strange behaviors, which I'm unsure
are fault or feature ... ;)

My config regarding the Networ-to-monitor is:
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.187.130/30

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET

I've another (virtual) machine listening to 192.168.178.135 and - for
testing purposes - created the following rules:
alert tcp any any -> any 22 (msg:"ssh access";sid:1000003;)
alert icmp 192.168.187.130 any -> any any (msg:"pings
detected";sid:1000002;)

(for testing) my command line to start snort is: snort -A console -i
eno16777736 -u snort -g snort -c /etc/snort/snort.conf

1. when I ping 'localhost', host is reachable but snort recognize nothing.
2. when I ping 192.168.187.135, host is reachable but snort recognize
nothing.
3. when I ping google.com host is reachable and snort shows:
04/15-07:34:46.978754  [**] [1:1000002:0] pings detected [**] [Priority: 0]
{ICMP} 192.168.187.130 -> 98.138.253.109

Why ?

Almost the same behavior with ssh. localhost and 192.168.187.135 doesn't
show anything.
Loggin to another host ... fist doesn't show anything ... but when the
session is closed, I see:
04/15-07:37:20.656375  [**] [1:1000003:0] ssh access [**] [Priority: 0]
{TCP} 192.168.187.130:33760 -> xxx.xxx.xxx.xxx:22

I'd expected that snort would alert the moment someone triggers a ssh
connection ... and not to wait until the ssh session is closed !

I've enabled unified logging in /etc/snort/snort.conf, but all I see in
/var/log snort is:

/var/log/snort > ls -la

drwxr-xr-x   2 snort snort   34 15. Apr 07:28 .
drwxr-xr-x. 23 root  root  4096 15. Apr 06:24 ..
-rw-r--r--   1 snort snort     0 15. Apr 06:24 alert
-rw-------   1 snort snort    0 15. Apr 07:37 snort.log

Why ?

config entries are:
# unified2
# Recommended for most installs
output unified2: filename merged.log, limit 128, nostamp,
mpls_event_types, vlan_event_types

# Additional configuration for specific types of installs
output alert_unified2: filename snort.alert, limit 128, nostamp
output log_unified2: filename snort.log, limit 128, nostamp

can you help me out ?

regards
May




------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live
exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




-- 

                Tomas Hajek
                hajek () oakland edu
                1-248-370-3505
                Senior Linux Systems Engineer
                University Technology Services
                Oakland University

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

questions about snort behavior May Smith (Apr 15)
- Re: questions about snort behavior Tomas Hajek (Apr 15)
- Re: questions about snort behavior Al Lewis (allewi) (Apr 15)