[Snort-devel] TCP warnings broken in CVS?

A.L.Lambert alambert at ...572...
Thu Jul 26 18:09:36 EDT 2001


	Note: This message is based on about 15-20 min of testing, and may
contain a DOH! or two on my part. :)

	Updated my CVS snort about 30 min ago, and in testing, I get UDP
alerts, but for the life of me, I can't set off any TCP alerts.

Example:

Some rules I used for testing on my $TARGET box:

alert tcp !$HOME_NET any -> $HOME_NET 10000 (msg: "Test TCP port 10000
Scan detected"; classtype: attempted-recon;)

alert udp !$HOME_NET any -> $HOME_NET 10000 (msg: "Test UDP port 10000
Scan detected"; classtype: attempted-recon;)


# nmap -sU $TARGET -p 10000

	Generates expected alert on $TARGET

# nmap -sS $TARGET -p 10000

	Generates nothing on $TARGET.


	Experimentation with various other things, indicates that TCP
alerts are not being sent.  I have not done enough
experimentation/research to verify this 100%, but this seems to be the
case.


Snort cmdline: 

snort -qoz est -k none -c /path/to/snort.conf

# hrmmm, does the -z est possibly have something to do with this?

Snort.conf (- var BLAH val's, include's, and output options, with slight
	sanitization):

# Configuration options
config logdir: /path/to/logdir
config set_uid: SOMEUSER
config set_gid: SOMEGROUP
config ghetto_msg: basic
config quiet
config dump_payload
config interface: eth0


# plugins
preprocessor unidecode: 80
preprocessor frag2
preprocessor rpc_decode: 111 32771 
preprocessor telnet_decode
preprocessor spade: 10.5 /path/to/logdir/spade.rcv \
	/path/to/logdir/spade-log.txt 3 50000
preprocessor spade-homenet: $HOME_NET
preprocessor spade-adapt2: 0.01 15 4 24 7
preprocessor spade-threshlearn: 200 24
preprocessor spade-survey:  /path/to/logdir/spade-survey.txt 60
preprocessor spade-stats: entropy uncondprob condprob
preprocessor stream4: memcap 67108864
preprocessor stream4_reassemble: ports all

	There are 0 "pass" rules on the sensor in question (as verified by
grep ^pass /path/to/rules/*), nor any BPF filters in place.

	Anyone else seeing this problem?  Thoughts?  Suggestions?  Am I
doing something wrong?

-- 
Adam Lambert







More information about the Snort-devel mailing list