Snort mailing list archives
Issue: Output on console not displayed on Snort computer
From: Benjamin Sanchez Murillo via Snort-users <snort-users () lists snort org>
Date: Sat, 1 Sep 2018 09:04:28 +0900
Hello, I am trying to configure Snort on Ubuntu by following the Snort Set Guide Snort_2.9.9.x_on_Ubuntu_14-16.pdf by Noah Dietrich. I am stock on section 12 Writing a Simple Rule to Test Snort Detection, page 11. Please let me know if you can help me solve my issue below. Thank you! ----------------------------------------------- 1) Issue: Output on console not displayed on Snort computer (Ubuntu: 192.168.1.X) when I ping it from another computer (Kali: 192.168.1.Y) 2) Steps to recreate: @ubuntu:~$ sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens33 (blinking cursor) @kali:~# ping 192.168.1.X 64 bytes from 192.168.1.X: icmp_seq=1 ttl=64 time=1.06 ms 64 bytes from 192.168.1.X: icmp_seq=2 ttl=64 time=0.885 ms 64 bytes from 192.168.1.X: icmp_seq=3 ttl=64 time=0.391 ms (...) --- 192.168.1.X ping statistics --- 21 packets transmitted, 21 received, 0% packet loss, time 454ms rtt min/avg/max/mdev = 0.251/0.624/1.565/0.259 ms 3) Results: Ubuntu machine's cursor continues to blink, however, I don't see expected "ICMP test detected" message in the console. 4) Background: Ubuntu and Kali installed on VMware both configured as Bridged (Autodetect) I can ping Kali from Ubuntu & Ubuntu from Kali both with 0% packet loss @ubuntu:~$ uname -a Linux ubuntu 4.15.0-33-generic #36~16.04.1-Ubuntu SMP Wed Aug 15 17:21:05 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux @ubuntu:~$ snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.11.1 GRE (Build 268) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.7.4 Using PCRE version: 8.38 2015-11-23 Using ZLIB version: 1.2.8 @ubuntu:~$ ifconfig | grep "inet add" inet addr:192.168.1.X Bcast:192.168.1.255 Mask:255.255.255.0 inet addr:127.0.0.1 Mask:255.0.0.0 5) The snort.conf file @ubuntu:~$ sudo vi /etc/snort/snort.conf (...) 44 # Setup the network addresses you are protecting 45 ipvar HOME_NET 192.168.0.0/24 (...) 545 # site specific rules 546 include $RULE_PATH/local.rules (...) 6) The local.rules file @ubuntu:~$ sudo vi /etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;) 7) The sid-msg.map file @ubuntu:~$ sudo vi /etc/snort/sid-msg.map #v2 1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url, tools.ietf.org/html/rfc792 8) Testing snort.conf to see if the rule has been loaded @ubuntu:~$ sudo snort -T -i ens33 -c /etc/snort/snort.conf (...) +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 0 0 0 0 | any 0 0 1 0 | nc 0 0 1 0 | s+d 0 0 0 0 +---------------------------------------------------------------------------- Snort successfully validated the configuration! Snort exiting (...) @ubuntu:/var/log/snort$ ls -a . .. archived_logs @ubuntu:/var/log/snort/archived_logs$ ls -a . ..
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Issue: Output on console not displayed on Snort computer Benjamin Sanchez Murillo via Snort-users (Aug 31)
- Re: Issue: Output on console not displayed on Snort computer wkitty42--- via Snort-users (Aug 31)