[Snort-users] real basic starter rules

Harry Putnam reader at ...5712...
Wed Apr 24 18:56:02 EDT 2002


I'm having a rough time getting started with snort.
Just installed the latest 8.6 from source.  Had no problems with
build.

But now reading the Users Manual and trying to put together just some
simple stuff to see what things do what.

Maybe some examples I've taken direct from the Manual but edited in
various ways will be the quickest way for any prospective poster to
see what I'm screwing up.

I always seem to have more than my share of trouble learning new apps
so I've come to believe its a builtin operator problem on my end so
please bear with me as I pose possibly old worn out questions.

After running some of the command lines from the first section of
manual I decided to push on to the next section about using the
snort.conf file.

A few of the things I tried after reading some of it seemed not to do
what I understood they should:

1) The bidirectional example caught my attention.
    log !192.168.1.0/24 any <> 192.168.1.0/24 23 
 Only I couldn't see why the NOT (!)  operator was in there.

The discussion indicates it is supposed to capture both sides of the
conversation. 

Editing a little, I set the numbers to reflect my setup and changed
the port number to 21 (ftp)

So with cat /usr/local/etc/snort.conf
   log !192.168.0.0/24 any <> 192.168.0.0/24 21 

And having created the following directory: /var/log/snort/tests.
   ls -ld /var/log/snort/tests
   drwxr-xr-x 2 root root 4096 Apr 24 17:15 /var/log/snort/tests

Using this command line:

   snort -dev -l /var/log/snort/tests -c /usr/local/etc/snort.conf

I get these results:
    root # snort -dev -l /var/log/snort/tests -c /usr/local/etc/snort.conf
   Log directory = /var/log/snort/tests
   
   Initializing Network Interface eth0
   
           --== Initializing Snort ==--
   Decoding Ethernet on interface eth0
   Initializing Preprocessors!
   Initializing Plug-ins!
   Initializating Output Plugins!
   Parsing Rules file /usr/local/etc/snort.conf
   
   +++++++++++++++++++++++++++++++++++++++++++++++++++
   Initializing rule chains...
   ERROR /usr/local/etc/snort.conf (1): Bad rule in rules file
   Fatal Error, Quitting..

Fails completely.

After trying quite a few edited versions with no better success, I
moved on to some other experiments

I thought maybe being more specific would let me see what I'm doing wrong:
cat /usr/local/etc/snort.conf

   log tcp any any ->  128.111.24.43 21

command line
snort -dev -l /var/log/snort/tests -c /usr/local/etc/snort.conf

This time I see the traffic when I run and ftp session in another
xterm.  But also pinging the address shows the traffic to.  But it
doesn't get logged so I guess I'm supposed to see any traffic but only
log the stuff on port 21.

And sure enough, I get a log file with a directory named with my local address
is:
   ls ./192.168.0.5/TCP:3336-21
Showing the traffic.  But I can't tell if I'm getting both sides.  I
think not.

Now I'm getting closer at least but I really wan't to narrow it down
to a single machine on the network
trying:

  log tcp 192.168.0.6 any ->  128.111.24.43 21

Fire up an ftp session from 192.168.0.6 to 128.111.24.43
I don't see any of this traffic.  I do see all kinds of other guff
going by but not that ftp session.

What is my error above.  How can I track an ftp session from machine 
 192.168.0.6 to  128.111.24.43 21 or any other client/server pair?





More information about the Snort-users mailing list