[Snort-users] Snort but no alert
This is a discussion on [Snort-users] Snort but no alert within the Snort forums, part of the System Security and Security Related category; Hello everyone, I'm still here with my problem. I've a snort debian bo= x that listen on an ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-12-2004
|
|||
|
|||
[Snort-users] Snort but no alert
Hello everyone,
I'm still here with my problem. I've a snort debian bo= x that listen on an interface (eth1, without ip address) on the external= net while is connected on eth0 to the internal net, interface that I u= se to read the data that Snort puts in the database. The problem that I = dont receive rules alerts, except for ICMP destination unreaceable, but = only preprocessor alert, even when I try to scan the box with Nessus or = NMap. I hope that someone could help me, (ps I've attach my conf file= , all the rules are sselected) Thanks, Matteo SNORT.CONF var = HOME_NET 10.1.0.0/24 var EXTERNAL_NET any var DNS_SERVERS $HOME_NET va= r SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HO= ME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTT= P_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVE= RS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/= 24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RU= LE_PATH /etc/snort/rules preprocessor flow: stats_interval 0 hash 2=0D = preprocessor frag2 preprocessor stream4: disable_evasion_alerts detect_s= cans preprocessor stream4_reassemble preprocessor http_inspect: global = iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: serve= r default profile apache ports { 80 8080 8180 } oversize_dir_length 500=0D = preprocessor rpc_decode: 111 32771 = prep= rocessor bo = preproc= essor telnet_decode = = = preprocessor= flow-portscan: talker-sliding-scale-factor 0.50 talker-fixed-threshold = 30 talker-sliding-threshold 30 talker-sliding-window 20 talker-fixed-win= dow 30 scoreboard-rows-talker 30000 server-watchnet $HOME_NET server-ign= ore-limit 200 server-rows 65535 server-learning-time 14400 server-scanne= r-limit 4 scanner-sliding-window 20 scanner-sliding-scale-factor 0.50 sc= anner-fixed-threshold 15 scanner-sliding-threshold 40 scanner-fixed-wind= ow 15 scoreboard-rows-scanner 30000 src-ignore-net $HOME_NET dst-ignore-= net [10.0.0.0/30] alert-mode once output-mode msg tcp-penalties on = = = = output database: alert= , postgresql, user=3Dpostgres dbname=3Dsnort host=3Dlocalhost = include classification.config = = include reference.config = = = = include $RULE_PATH/local.rules = = include $RULE_PATH/bad-traffic.rules = = include $RULE_PATH/exploit.rules .... =0D = ALERT [**] [1:485:2] ICMP Destination Unreachable (Communication Adm= inistratively Prohibited) [**] [Classification: Misc activity] [Priorit= y: 3] 05/12-15:47:42.319644 193.207.171.97 -> 151.11.129.212 ICMP TTL:2= 47 TOS:0x20 ID:47996 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNR= EACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATA= GRAM DUMP: 151.11.129.212:135 -> 172.133.197.74:2249 TCP TTL:254 TOS:0x= 40 ID:0 IpLen:20 DgmLen:40 DF Seq: 0x0 Ack: 0x0 ** END OF DUMP [**]= [121:4:1] Portscan detected from 200.191.164.142 Talker(fixed: 30 slidin= g: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-15:49:09.988413 [**] = [121:4:1] Portscan detected from 192.168.150.2 Talker(fixed: 2 sliding: 3= 0) Scanner(fixed: 0 sliding: 0) [**] 05/12-15:50:39.821253 [**] [121= :4:1] Portscan detected from 66.185.41.191 Talker(fixed: 30 sliding: 30)= Scanner(fixed: 0 sliding: 0) [**] 05/12-15:52:53.437042 [**] [105:1:= 1] (spo_bo) Back Orifice Traffic detected [**] 05/12-15:53:38.001287 192= ..168.150.2:53239 -> 213.178.220.130:31337 UDP TTL:61 TOS:0x0 ID:22741 Ip= Len:20 DgmLen:46 Len: 18 [**] [105:1:1] (spo_bo) Back Orifice Traffic= detected [**] 05/12-15:53:40.994216 192.168.150.2:53239 -> 213.178.220.= 130:31337 UDP TTL:61 TOS:0x0 ID:22742 IpLen:20 DgmLen:46 Len: 18 [**= ] [121:4:1] Portscan detected from 210.95.44.31 Talker(fixed: 30 sliding:= 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-16:07:01.105576 [**] [1= :487:2] ICMP Destination Unreachable (Communication with Destination Net= work is Administratively Prohibited) [**] [Classification: Misc activity= ] [Priority: 3] 05/12-16:07:27.486375 147.123.1.42 -> 213.178.220.1 ICM= P TTL:62 TOS:0x0 ID:41603 IpLen:20 DgmLen:56 Type:3 Code:9 DESTINATION= UNREACHABLE: ADMINISTRATIVELY PROHIBITED NETWORK FILTERED ** ORIGINAL = DATAGRAM DUMP: 213.178.220.1:53 -> 69.50.179.2:60369 UDP TTL:61 TOS:0x0= ID:43291 IpLen:20 DgmLen:199 Len: 171 ** END OF DUMP [**] [1:487:2]= ICMP Destination Unreachable (Communication with Destination Network is= Administratively Prohibited) [**] [Classification: Misc activity] [Prio= rity: 3] 05/12-16:07:42.725148 147.123.1.42 -> 213.178.220.1 ICMP TTL:6= 2 TOS:0x0 ID:46666 IpLen:20 DgmLen:56 Type:3 Code:9 DESTINATION UNREAC= HABLE: ADMINISTRATIVELY PROHIBITED NETWORK FILTERED ** ORIGINAL DATAGRA= M DUMP: 213.178.220.1:53 -> 69.50.179.14:46007 UDP TTL:61 TOS:0x0 ID:43= 292 IpLen:20 DgmLen:199 Len: 171 ** END OF DUMP [**] [121:4:1] Ports= can detected from 69.44.61.30 Talker(fixed: 30 sliding: 30) Scanner(fixe= d: 0 sliding: 0) [**] 05/12-16:23:58.282652 [**] [121:4:1] Portscan d= etected from 151.11.129.54 Talker(fixed: 30 sliding: 30) Scanner(fixed: = 0 sliding: 0) [**] 05/12-16:28:50.508095 ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...rom=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
