RE: [Snort-users] Snort but no alert
This is a discussion on RE: [Snort-users] Snort but no alert within the Snort forums, part of the System Security and Security Related category; Is the rules path correct? /etc/snort/rules/xxxxx.rules , It seems the only rules processing are the one statically ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-12-2004
|
|||
|
|||
RE: [Snort-users] Snort but no alert
Is the rules path correct? /etc/snort/rules/xxxxx.rules , It seems the
only rules processing are the one statically assigned in the .conf file. I would cleanup/rework the conf file a bit. In your snort startup script, are you listening on the correct interface? Try doing this: /path/to/snort -i eth1 (then your other switches , like path to config file and such). What is the output? -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of nyarlathothep@libero.it Sent: Wednesday, May 12, 2004 11:02 AM To: snort-users Subject: [Snort-users] Snort but no alert Hello everyone,=20 I'm still here with my problem. I've a snort debian box that listen on an interface (eth1, without ip address) on the external net while is connected on eth0 to the internal net, interface that I use to read the data that Snort puts in the database. The problem that I dont receive rules alerts, except for ICMP destination unreaceable, but only preprocessor alert, even when I try to scan the box with Nessus or NMap. I hope that someone could help me, (ps I've attach my conf file, all the rules are sselected) Thanks, Matteo SNORT.CONF var HOME_NET 10.1.0.0/24 var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24, 64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort/rules preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor stream4: disable_evasion_alerts detect_scans preprocessor stream4_reassemble preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile apache ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 =20 preprocessor bo =20 =20 preprocessor telnet_decode =20 =20 =20 preprocessor flow-portscan: talker-sliding-scale-factor 0.50 talker-fixed-threshold 30 talker-sliding-threshold 30 talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker 30000 server-watchnet $HOME_NET server-ignore-limit 200 server-rows 65535 server-learning-time 14400 server-scanner-limit 4 scanner-sliding-window 20 scanner-sliding-scale-factor 0.50 scanner-fixed-threshold 15 scanner-sliding-threshold 40 scanner-fixed-window 15 scoreboard-rows-scanner 30000 src-ignore-net $HOME_NET dst-ignore-net [10.0.0.0/30] alert-mode once output-mode msg tcp-penalties on =20 =20 =20 =20 =20 output database: alert, postgresql, user=3Dpostgres dbname=3Dsnort host=3Dlocalhost =20 =20 include classification.config include reference.config =20 =20 =20 include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules .... ALERT [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/12-15:47:42.319644 193.207.171.97 -> 151.11.129.212 ICMP TTL:247 TOS:0x20 ID:47996 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 151.11.129.212:135 -> 172.133.197.74:2249 TCP TTL:254 TOS:0x40 ID:0 IpLen:20 DgmLen:40 DF Seq: 0x0 Ack: 0x0 ** END OF DUMP [**] [121:4:1] Portscan detected from 200.191.164.142 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-15:49:09.988413 [**] [121:4:1] Portscan detected from 192.168.150.2 Talker(fixed: 2 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-15:50:39.821253 [**] [121:4:1] Portscan detected from 66.185.41.191 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-15:52:53.437042 [**] [105:1:1] (spo_bo) Back Orifice Traffic detected [**] 05/12-15:53:38.001287 192.168.150.2:53239 -> 213.178.220.130:31337 UDP TTL:61 TOS:0x0 ID:22741 IpLen:20 DgmLen:46 Len: 18 [**] [105:1:1] (spo_bo) Back Orifice Traffic detected [**] 05/12-15:53:40.994216 192.168.150.2:53239 -> 213.178.220.130:31337 UDP TTL:61 TOS:0x0 ID:22742 IpLen:20 DgmLen:46 Len: 18 [**] [121:4:1] Portscan detected from 210.95.44.31 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-16:07:01.105576 [**] [1:487:2] ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/12-16:07:27.486375 147.123.1.42 -> 213.178.220.1 ICMP TTL:62 TOS:0x0 ID:41603 IpLen:20 DgmLen:56 Type:3 Code:9 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED NETWORK FILTERED ** ORIGINAL DATAGRAM DUMP: 213.178.220.1:53 -> 69.50.179.2:60369 UDP TTL:61 TOS:0x0 ID:43291 IpLen:20 DgmLen:199 Len: 171 ** END OF DUMP [**] [1:487:2] ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/12-16:07:42.725148 147.123.1.42 -> 213.178.220.1 ICMP TTL:62 TOS:0x0 ID:46666 IpLen:20 DgmLen:56 Type:3 Code:9 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED NETWORK FILTERED ** ORIGINAL DATAGRAM DUMP: 213.178.220.1:53 -> 69.50.179.14:46007 UDP TTL:61 TOS:0x0 ID:43292 IpLen:20 DgmLen:199 Len: 171 ** END OF DUMP [**] [121:4:1] Portscan detected from 69.44.61.30 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-16:23:58.282652 [**] [121:4:1] Portscan detected from 151.11.129.54 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-16:28:50.508095 ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to=20 deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...rom=3Ddnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=3Dort-users ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...rom=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
