Re: questions about snort behavior

["Al Lewis (allewi)" <allewi () cisco com>]

Hello,

1) When you ping localhost that probably resolves to 127.0.0.1 and will hit your loopback. Which probably isn’t your 
monitoring interface.
2) Your HOME_NET is 192.168.187.30 with a /30 mask. 192.168.187.35 shouldn’t even be reachable since that destination 
is outside you’re the HOME_NET’s addressable network range.
3) Traffic is coming from/to the HOME_NET.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: May Smith [mailto:may24x () yahoo com]
Sent: Wednesday, April 15, 2015 7:46 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] questions about snort behavior

Hi all,

I'm pretty new to snort and have managed to deploy it along with barnyard2 and Snorby on a test VM (CentOS7 64Bit)
Now it's time to configure the components so they'll work together.

starting with snort, I realized some strange behaviors, which I'm unsure are fault or feature ... ;)

My config regarding the Networ-to-monitor is:
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.187.130/30

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET

I've another (virtual) machine listening to 192.168.178.135 and - for testing purposes - created the following rules:
alert tcp any any -> any 22 (msg:"ssh access";sid:1000003;)
alert icmp 192.168.187.130 any -> any any (msg:"pings detected";sid:1000002;)

(for testing) my command line to start snort is: snort -A console -i eno16777736 -u snort -g snort -c 
/etc/snort/snort.conf

1. when I ping 'localhost', host is reachable but snort recognize nothing.
2. when I ping 192.168.187.135, host is reachable but snort recognize nothing.
3. when I ping google.com host is reachable and snort shows: 04/15-07:34:46.978754  [**] [1:1000002:0] pings detected 
[**] [Priority: 0] {ICMP} 192.168.187.130 -> 98.138.253.109

Why ?

Almost the same behavior with ssh. localhost and 192.168.187.135 doesn't show anything.
Loggin to another host ... fist doesn't show anything ... but when the session is closed, I see:
04/15-07:37:20.656375  [**] [1:1000003:0] ssh access [**] [Priority: 0] {TCP} 192.168.187.130:33760 -> 
xxx.xxx.xxx.xxx:22

I'd expected that snort would alert the moment someone triggers a ssh connection ... and not to wait until the ssh 
session is closed !

I've enabled unified logging in /etc/snort/snort.conf, but all I see in /var/log snort is:

/var/log/snort > ls -la

drwxr-xr-x   2 snort snort   34 15. Apr 07:28 .
drwxr-xr-x. 23 root  root  4096 15. Apr 06:24 ..
-rw-r--r--   1 snort snort     0 15. Apr 06:24 alert
-rw-------   1 snort snort    0 15. Apr 07:37 snort.log

Why ?

config entries are:
# unified2
# Recommended for most installs
output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

# Additional configuration for specific types of installs
output alert_unified2: filename snort.alert, limit 128, nostamp
output log_unified2: filename snort.log, limit 128, nostamp

can you help me out ?

regards
May


------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!