[Snort-users] Cant see alert for rule
This is a discussion on [Snort-users] Cant see alert for rule within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------=_NextPart_000_0032_01C4489E.3B536410 Content-Type: text/plain; charset="us-ascii" ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-02-2004
|
|||
|
|||
[Snort-users] Cant see alert for rule
This is a multi-part message in MIME format.
------=_NextPart_000_0032_01C4489E.3B536410 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable 1) Snort 2.0.6 on linux 2) Three pcs: 1 2 3 w2kPC victim linux attacker linux snort box 3) I run: Snort -d -e -v -c /etc/snort/snort.conf (no errors) 4) Rule in ftp.rules is: Alert tcp any any -> any 21 (content: "USER administrator"; msg: "FTP administrator login attempt";)=20 5) When I run: ftp <IPVictim> from linux attacker, I don't get any rules = fired on my snort box. 6) I have a Gigabit Linksys 5-port workgroup switch between them all Why am I not able to see the alert? Thanks! ------=_NextPart_000_0032_01C4489E.3B536410 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 6.0.4630.0"> <TITLE>Cant see alert for rule</TITLE> </HEAD> <BODY> <!-- Converted from text/rtf format --> <P><FONT SIZE=3D2 FACE=3D"Arial">1)</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Snort 2.0.6 on linux</FONT> </P> <BR> <P><FONT SIZE=3D2 FACE=3D"Arial">2)</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Three pcs:</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> 1 = = = 2 = = 3</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">w2kPC = victim &n bsp; linux = attacker  = ; linux snort box</FONT> </P> <BR> <P><FONT SIZE=3D2 FACE=3D"Arial">3)</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">I run:</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Snort -d -e -v -c = /etc/snort/snort.conf (no errors)</FONT> </P> <BR> <P><FONT SIZE=3D2 FACE=3D"Arial">4)</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Rule in </FONT><A = HREF=3D"file://ftp.rules"><U><FONT COLOR=3D"#0000FF" SIZE=3D2 = FACE=3D"Arial">ftp.rules</FONT></U></A><FONT SIZE=3D2 FACE=3D"Arial"> = is:</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Alert tcp any any -> any 21 = (content: "USER administrator"; msg: "FTP administrator = login attempt";) </FONT> </P> <BR> <P><FONT SIZE=3D2 FACE=3D"Arial">5)</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">When I run: ftp <IPVictim> = from linux attacker, I don’t get any rules fired on my snort = box.</FONT> </P> <BR> <P><FONT SIZE=3D2 FACE=3D"Arial">6)</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">I have a Gigabit Linksys 5-port = workgroup switch between them all</FONT> </P> <BR> <P><FONT SIZE=3D2 FACE=3D"Arial">Why am I not able to see the = alert?</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Thanks!</FONT> </P> </BODY> </HTML> ------=_NextPart_000_0032_01C4489E.3B536410-- ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
