Snort mailing list archives
Re: [WARNING: UNSCANNABLE EXTRACTION FAILED] Snort not detect attack on mirroring port
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Sat, 15 Jun 2019 14:52:14 +0000
Hello, Are you able to capture the traffic (using tcpdump) in the scenario that doesn’t alert? If so, as a quick test, are you able to replay that captured traffic directly into snort (using -r )? Do you get alerts then? Are you able to share the pcaps of the working vs non working sessions? Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org> on behalf of Сергей Беляев via Snort-users <snort-users () lists snort org> Reply-To: Сергей Беляев <bamkrgd () mail ru> Date: Saturday, June 15, 2019 at 9:26 AM To: "snort-users () lists snort org" <snort-users () lists snort org> Subject: [WARNING: UNSCANNABLE EXTRACTION FAILED][Snort-users] Snort not detect attack on mirroring port Hellow. Excuse me for my bad english. I Iinstall snort 2.9.11 on ubuntu 12.04 from sources and connect it to HP ProCurve 2510G mirror port. My mirroring scheme in file mirror.pdf and snort host configuration in file snort_host_conf.png I tried attack my test windows xp machine from kali by script ms_08_067_netapi.rb, which exploits cve-2008-4250 vulnerability. And snort not detect it. Then i tried the same attack from kali to windows xp via linux in routing mode - scheme snort_on_router.pdf And in this scheme snort detect attacks successfully by triggering rule sid 14782 in file os-windows.rules My snort config in snort.tar.gz May be it is bag that snort not detect attack from mirroring traffic? Installing snort 2.9.13 to ubuntu 16.04 - same result. Sergey
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort not detect attack on mirroring port Сергей Беляев via Snort-users (Jun 15)
- Re: [WARNING: UNSCANNABLE EXTRACTION FAILED] Snort not detect attack on mirroring port Al Lewis (allewi) via Snort-users (Jun 15)
- Re: [WARNING: UNSCANNABLE EXTRACTION FAILED] Snort not detect attack on mirroring port Dorian ROSSE via Snort-users (Jun 17)
- Re: [WARNING: UNSCANNABLE EXTRACTION FAILED] Snort not detect attack on mirroring port Al Lewis (allewi) via Snort-users (Jun 15)