[Snort-devel] TCP warnings broken in CVS?

Martin Roesch roesch at ...402...
Thu Jul 26 18:52:05 EDT 2001


That's the stateful inspection code doing its job.  If you want that TCP
rule to go off, add a "stateless" keyword in the rule option section and
it'll go off normally.  With stateful inspection turned on and the "-z
est" switch, Snort won't go off on a rule unless the connection has been
established first.  Try this rule, it should work:

alert tcp !$HOME_NET any -> $HOME_NET 10000 (msg: "Test TCP port 10000
Scan detected"; classtype: attempted-recon; stateless;)

    -Marty

"A.L.Lambert" wrote:
> 
>         Note: This message is based on about 15-20 min of testing, and may
> contain a DOH! or two on my part. :)
> 
>         Updated my CVS snort about 30 min ago, and in testing, I get UDP
> alerts, but for the life of me, I can't set off any TCP alerts.
> 
> Example:
> 
> Some rules I used for testing on my $TARGET box:
> 
> alert tcp !$HOME_NET any -> $HOME_NET 10000 (msg: "Test TCP port 10000
> Scan detected"; classtype: attempted-recon;)
> 
> alert udp !$HOME_NET any -> $HOME_NET 10000 (msg: "Test UDP port 10000
> Scan detected"; classtype: attempted-recon;)
> 
> # nmap -sU $TARGET -p 10000
> 
>         Generates expected alert on $TARGET
> 
> # nmap -sS $TARGET -p 10000
> 
>         Generates nothing on $TARGET.
> 
>         Experimentation with various other things, indicates that TCP
> alerts are not being sent.  I have not done enough
> experimentation/research to verify this 100%, but this seems to be the
> case.
> 
> Snort cmdline:
> 
> snort -qoz est -k none -c /path/to/snort.conf
> 
> # hrmmm, does the -z est possibly have something to do with this?
> 
> Snort.conf (- var BLAH val's, include's, and output options, with slight
>         sanitization):
> 
> # Configuration options
> config logdir: /path/to/logdir
> config set_uid: SOMEUSER
> config set_gid: SOMEGROUP
> config ghetto_msg: basic
> config quiet
> config dump_payload
> config interface: eth0
> 
> # plugins
> preprocessor unidecode: 80
> preprocessor frag2
> preprocessor rpc_decode: 111 32771
> preprocessor telnet_decode
> preprocessor spade: 10.5 /path/to/logdir/spade.rcv \
>         /path/to/logdir/spade-log.txt 3 50000
> preprocessor spade-homenet: $HOME_NET
> preprocessor spade-adapt2: 0.01 15 4 24 7
> preprocessor spade-threshlearn: 200 24
> preprocessor spade-survey:  /path/to/logdir/spade-survey.txt 60
> preprocessor spade-stats: entropy uncondprob condprob
> preprocessor stream4: memcap 67108864
> preprocessor stream4_reassemble: ports all
> 
>         There are 0 "pass" rules on the sensor in question (as verified by
> grep ^pass /path/to/rules/*), nor any BPF filters in place.
> 
>         Anyone else seeing this problem?  Thoughts?  Suggestions?  Am I
> doing something wrong?
> 
> --
> Adam Lambert
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list