Snort mailing list archives
Re: questions about snort behavior
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Wed, 15 Apr 2015 13:02:13 +0000
Hello, 1) When you ping localhost that probably resolves to 127.0.0.1 and will hit your loopback. Which probably isn’t your monitoring interface. 2) Your HOME_NET is 192.168.187.30 with a /30 mask. 192.168.187.35 shouldn’t even be reachable since that destination is outside you’re the HOME_NET’s addressable network range. 3) Traffic is coming from/to the HOME_NET. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: May Smith [mailto:may24x () yahoo com] Sent: Wednesday, April 15, 2015 7:46 AM To: snort-users () lists sourceforge net Subject: [Snort-users] questions about snort behavior Hi all, I'm pretty new to snort and have managed to deploy it along with barnyard2 and Snorby on a test VM (CentOS7 64Bit) Now it's time to configure the components so they'll work together. starting with snort, I realized some strange behaviors, which I'm unsure are fault or feature ... ;) My config regarding the Networ-to-monitor is: # Setup the network addresses you are protecting ipvar HOME_NET 192.168.187.130/30 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET I've another (virtual) machine listening to 192.168.178.135 and - for testing purposes - created the following rules: alert tcp any any -> any 22 (msg:"ssh access";sid:1000003;) alert icmp 192.168.187.130 any -> any any (msg:"pings detected";sid:1000002;) (for testing) my command line to start snort is: snort -A console -i eno16777736 -u snort -g snort -c /etc/snort/snort.conf 1. when I ping 'localhost', host is reachable but snort recognize nothing. 2. when I ping 192.168.187.135, host is reachable but snort recognize nothing. 3. when I ping google.com host is reachable and snort shows: 04/15-07:34:46.978754 [**] [1:1000002:0] pings detected [**] [Priority: 0] {ICMP} 192.168.187.130 -> 98.138.253.109 Why ? Almost the same behavior with ssh. localhost and 192.168.187.135 doesn't show anything. Loggin to another host ... fist doesn't show anything ... but when the session is closed, I see: 04/15-07:37:20.656375 [**] [1:1000003:0] ssh access [**] [Priority: 0] {TCP} 192.168.187.130:33760 -> xxx.xxx.xxx.xxx:22 I'd expected that snort would alert the moment someone triggers a ssh connection ... and not to wait until the ssh session is closed ! I've enabled unified logging in /etc/snort/snort.conf, but all I see in /var/log snort is: /var/log/snort > ls -la drwxr-xr-x 2 snort snort 34 15. Apr 07:28 . drwxr-xr-x. 23 root root 4096 15. Apr 06:24 .. -rw-r--r-- 1 snort snort 0 15. Apr 06:24 alert -rw------- 1 snort snort 0 15. Apr 07:37 snort.log Why ? config entries are: # unified2 # Recommended for most installs output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types # Additional configuration for specific types of installs output alert_unified2: filename snort.alert, limit 128, nostamp output log_unified2: filename snort.log, limit 128, nostamp can you help me out ? regards May
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- questions about snort behavior May Smith (Apr 15)
- Re: questions about snort behavior Tomas Hajek (Apr 15)
- Re: questions about snort behavior Al Lewis (allewi) (Apr 15)