RE: [Snort-users] Cant see alert for rule
This is a discussion on RE: [Snort-users] Cant see alert for rule within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ----=_NextPart_ST_15_43_57_Wednesday_June_02_2004_3123 5 Content-Type: text/plain; charset="us-ascii" ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-02-2004
|
|||
|
|||
RE: [Snort-users] Cant see alert for rule
This is a multi-part message in MIME format.
----=_NextPart_ST_15_43_57_Wednesday_June_02_2004_3123 5 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I believe it is the switch that is the problem. do you have a hub you can test with, I do not think those have the option to set a span or monitor port. =20 _____ =20 From: Tom Fulton [mailto:tfulton9909@comcast.net]=20 Sent: Wednesday, June 02, 2004 1:37 PM To: Snort-users@lists.sourceforge.net Subject: [Snort-users] Cant see alert for rule 1)=20 Snort 2.0.6 on linux=20 2)=20 Three pcs:=20 1 2 3=20 w2kPC victim linux attacker linux snort box=20 3)=20 I run:=20 Snort -d -e -v -c /etc/snort/snort.conf (no errors)=20 4)=20 Rule in ftp.rules <file://ftp.rules> is:=20 Alert tcp any any -> any 21 (content: "USER administrator"; msg: "FTP administrator login attempt";)=20 5)=20 When I run: ftp <IPVictim> from linux attacker, I don't get any rules fired on my snort box.=20 6)=20 I have a Gigabit Linksys 5-port workgroup switch between them all=20 Why am I not able to see the alert?=20 Thanks!=20 Disclaimer: This electronic message, including any attachments, is confidential and int= ended solely for use of the intended recipient(s). This message may contain= information that is privileged or otherwise protected from disclosure by a= pplicable law. Any unauthorized disclosure, dissemination, use or reproduct= ion is strictly prohibited. If you have received this message in error, ple= ase delete it and notify the sender immediately.=20 ----=_NextPart_ST_15_43_57_Wednesday_June_02_2004_3123 5 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Cant see alert for rule</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR></HEAD> <BODY> <DIV dir=3Dltr align=3Dleft><SPAN class=3D367194220-02062004><FONT size=3D2= >I believe it=20 is the switch that is the problem. </FONT></SPAN><SPAN=20 class=3D367194220-02062004><FONT size=3D2>do you have a hub you can test wi= th, I do=20 not think those have the option to set a span or monitor=20 port.</FONT></SPAN></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV><BR> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> Tom Fulton=20 [mailto:tfulton9909@comcast.net] <BR><B>Sent:</B> Wednesday, June 02, 2004 = 1:37=20 PM<BR><B>To:</B> Snort-users@lists.sourceforge.net<BR><B>Subject:</B>=20 [Snort-users] Cant see alert for rule<BR></FONT><BR></DIV> <DIV></DIV><!-- Converted from text/rtf format --> <P><FONT face=3DArial size=3D2>1)</FONT> <BR><FONT face=3DArial size=3D2>Sn= ort 2.0.6 on=20 linux</FONT> </P><BR> <P><FONT face=3DArial size=3D2>2)</FONT> <BR><FONT face=3DArial size=3D2>Th= ree=20 pcs:</FONT> <BR><FONT face=3DArial size=3D2> 1  = ;=20 =20 2 &= nbsp;=20 =20 3</FONT> <BR><FONT face=3DArial size=3D2>w2kPC victim &n bsp; = linux=20 attacker &= nbsp; =20 linux snort box</FONT> </P><BR> <P><FONT face=3DArial size=3D2>3)</FONT> <BR><FONT face=3DArial size=3D2>I = run:</FONT>=20 <BR><FONT face=3DArial size=3D2>Snort -d -e -v -c=20 /etc/snort/snort.conf (no errors)</FONT> </P><BR> <P><FONT face=3DArial size=3D2>4)</FONT> <BR><FONT face=3DArial size=3D2>Ru= le in=20 </FONT><A href=3D"file://ftp.rules"><U><FONT face=3DArial color=3D#0000ff size=3D2>ftp.rules</FONT></U></A><FONT face=3DArial size=3D2> is:</FONT> <B= R><FONT=20 face=3DArial size=3D2>Alert tcp any any -> any 21 (content: "USER admini= strator";=20 msg: "FTP administrator login attempt";) </FONT></P><BR> <P><FONT face=3DArial size=3D2>5)</FONT> <BR><FONT face=3DArial size=3D2>Wh= en I run: ftp=20 <IPVictim> from linux attacker, I don’t get any rules fir= ed on my=20 snort box.</FONT> </P><BR> <P><FONT face=3DArial size=3D2>6)</FONT> <BR><FONT face=3DArial size=3D2>I = have a=20 Gigabit Linksys 5-port workgroup switch between them all</FONT> </P><BR> <P><FONT face=3DArial size=3D2>Why am I not able to see the alert?</FONT> <= /P> <P><FONT face=3DArial size=3D2>Thanks!</FONT> </P><br><br><br><br>Disclaime= r:<br>This electronic message, including any attachments, is confidential a= nd intended solely for use of the intended recipient(s). This message may c= ontain information that is privileged or otherwise protected from disclosur= e by applicable law. Any unauthorized disclosure, dissemination, use or rep= roduction is strictly prohibited. If you have received this message in erro= r, please delete it and notify the sender immediately. <br><br><br></BODY><= /HTML> ----=_NextPart_ST_15_43_57_Wednesday_June_02_2004_3123 5-- ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
