[Snort-users] Snort not detecting stuff it should be..

Vitaly McLain twistah at ...93...
Fri Jul 28 21:02:43 EDT 2000


Hi all,

I really did not want to post to this list because I was afraid I'd be
wasting your time too much, but I just can't seem to solve this. Probably
something stupid (or I'm stupid. Heh.)

Anyway, on my 'router' I run Linux Slackware 7.0 (kernel 2.2.13, yes I'm
aware of the holes). I also run snort (1.6.3 currently). The router is
connected to the Net via dialup over a PPP connection. Except the router,
there is one more box on my network. This means the 'router' has 3
interfaces: ppp0 (PPP connection to the Net), eth0 (NIC leading to my
network) and lo (standard loopback). I want snort to do what it's supposed
to, but it just won't! Here is what I mean: no matter how I run it, or with
which ruleset it won't detect anything. Well, that's not 100% true. It only
detects stuff bound for 192.168.1.2 (the other box) and nothing directed
towards my IP on the Net (which changes every time I dialup) or 192.168.1.1.
I can portscan myself, portscan the my Internet IP, portscan off other
boxes...nothing. Other alerts won't trigger as well. BUT if I use my router
to scan the other box on my network, snort DOES go off and shows alerts for
192.168.1.2.

So, what's up!? I've tired running it on lo, ppp0 and eth0 (all at the same
time, infact!) and STILL nothing! All I get is warnings about ICMP Unreaches
going to 192.168.1.2. Hmm.

Here is the more or less relevant part of my snort ruleset, which was
generated TODAY by the snort website (I have used a multide of other
rulesets before, all had the same problem):

bizkit:/usr/local/bin# head -10 snort728
# snort rules for 1.6.3

preprocessor minfrag: 128
preprocessor portscan: 192.168.1.0/24 4 5 /var/log/snort/snort_portscan.log
preprocessor portscan-ignorehosts: 207.69.188.185 207.69.188.186
207.69.188.187
var HOME_NET 192.168.1.0/24


# the rules...

bizkit:/usr/local/bin#

Anyone see what I'm doing wrong? My network is all 192.168.1.x and the
ignore-hosts are my ISP's DNS servers.

I'm puzzled on this. I've tired different approaches to running snort. I
usually do something like:
snort -c snort728 -D -s
or
snort -c snort728 -i ppp0 -D -s
or something of the sort. Oh, and if I run snort on ppp0, run a portscan
against it and ^C out, I see that snort picked up the portscan (insane
ammount of TCP packets) but no alert.

Yeah, I'm doing something stupid right? :(

Sorry for the long message and THANKS IN ADVANCE for your help!

Vitaly McLain
twistah at ...93...
twistah on irc.openprojects.net






More information about the Snort-users mailing list