[Snort-users] testing from same machine?

Phil foo_bar_00 at ...131...
Tue Apr 24 01:13:17 EDT 2001


Can you use the attack.pl test script from the same
machine that snort is running on? If I'm correct,
since it directs the traffic to an IP, it will head to
the right ethernet adapter (elxl0 in my case), even
though it won't _leave_ and therefore get picked up by
snort. No?

I added my external IP address to the script and ran
it... let it go for a while... let it run MANY tests,
then I killed it after nothign showed up on console or
in the logs (neither in /var/log/snortlogs or syslog
and my config sets it to log to both).

RELEVANT INFO:
Platform: Solaris 2.6 x86
Snort Version: 1.7

My configuration is:

var HOME_NET $elxl0_ADDRESS
var EXTERNAL_NET !$HOME_NET
var SMTP MY.SMTP.SERVER.HERE
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
#var DNS_SERVERS [192.168.1.1/32,10.1.1.1/32]

...

include /etc/snort/local.rules
include /etc/snort/exploit.rules
include /etc/snort/scan.rules
include /etc/snort/finger.rules
include /etc/snort/ftp.rules
include /etc/snort/telnet.rules
include /etc/snort/smtp.rules
include /etc/snort/rpc.rules
include /etc/snort/rservices.rules
include /etc/snort/backdoor.rules
include /etc/snort/dos.rules
include /etc/snort/ddos.rules
include /etc/snort/dns.rules
include /etc/snort/netbios.rules
include /etc/snort/sql.rules
include /etc/snort/web-cgi.rules
include /etc/snort/web-coldfusion.rules
include /etc/snort/web-frontpage.rules
include /etc/snort/web-misc.rules
include /etc/snort/web-iis.rules
include /etc/snort/icmp.rules
include /etc/snort/misc.rules
#include policy.rules
#include info.rules
#include virus.rules

The stuff in the middle is pretty much default.

My command for running snort is:
/usr/local/bin/snort -A fast -s -i elxl0 -l
/var/log/snortlogs -c /etc/snort/snort.conf -D

Here is some output from the attack.pl script:

Simulating attack over udp/111  - "IDS025 - RPC -
portmap-request-selection_svc"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS019 - RPC -
portmap-request-amountd"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS016 - RPC -
portmap-request-bootparam"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS017 - RPC -
portmap-request-cmsd"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS013 - RPC -
portmap-request-mountd"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS021 - RPC -
portmap-request-nisd"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS022 - RPC -
portmap-request-pcnfsd"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS023 - RPC -
portmap-request-rexd"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS010 - RPC -
portmap-request-rstatd"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS018 - RPC -
portmap-request-admind"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS020 - RPC -
portmap-request-sadmind"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS015 - RPC -
portmap-request-status"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS024 - RPC -
portmap-request-ttdbserv"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS014 - RPC -
portmap-request-yppasswd"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS012 - RPC -
portmap-request-ypserv"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/111  - "IDS125 - RPC -
portmap-request-ypupdated"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/32770:  - "IDS009 -
RPC-rstatd-query"

...

Simulating attack over udp/50879  - "IDS181 -
OVERFLOW-NOOP-X86"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/50225  -
"OVERFLOW-NOOP-SGI"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over tcp/2530  - "OVERFLOW-NOOP-SGI"
Host: MY.IP.ADDY.HERE - skipped
Simulating attack over udp/37725  -
"OVERFLOW-NOOP-Solaris"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over tcp/41555  -
"OVERFLOW-NOOP-Solaris"
Host: MY.IP.ADDY.HERE - skipped
Simulating attack over udp/3076  -
"OVERFLOW-NOOP-Sparc"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over tcp/20370  -
"OVERFLOW-NOOP-Sparc"
Host: MY.IP.ADDY.HERE - skipped
Simulating attack over tcp/53  -
"OVERFLOW-DNS-x86linux-rotsb"
Host: MY.IP.ADDY.HERE - skipped
Simulating attack over tcp/23352  -
"OVERFLOW-NOOP-Sparc"
Host: MY.IP.ADDY.HERE - skipped
Simulating attack over tcp/13222  - "OVERFLOW-NOOP-HP"
Host: MY.IP.ADDY.HERE - skipped
Simulating attack over tcp/53707  -
"OVERFLOW-NOOP-X86"
Host: MY.IP.ADDY.HERE - skipped
Simulating attack over tcp/53  -
"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1"
Host: MY.IP.ADDY.HERE - skipped
Simulating attack over tcp/53  -
"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1"
Host: MY.IP.ADDY.HERE - skipped
Simulating attack over tcp/53  -
"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1"
Host: MY.IP.ADDY.HERE - skipped
Simulating attack over tcp/57009  - "IDS215 - OVERFLOW
- Client - netscape47-retrieved"
Host: MY.IP.ADDY.HERE - skipped
Simulating attack over tcp/80  - "IDS214 - OVERFLOW -
Client - netscape47-unsucessful"
Host: MY.IP.ADDY.HERE - skipped
Simulating attack over udp/59337  -
"OVERFLOW-NOOP-Sparc"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over udp/50531  -
"OVERFLOW-NOOP-AIX"
Host: MY.IP.ADDY.HERE - OK
Simulating attack over tcp/53  - "OVERFLOW-named"
Host: MY.IP.ADDY.HERE - skipped
Simulating attack over udp/635  -
"OVERFLOW-x86-linux-mountd2"

Thanks,
Phil

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/




More information about the Snort-users mailing list