[Snort-users] snort alert -stop working with snort.conf

David Yip dy at ...6387...
Mon Jul 29 10:39:08 EDT 2002


Extract from Snort FAQ:

Q: How do I test snort alerts and logging?
A: Try a rule that will fire off all the time like: alert tcp any any -> 
any any (msg:"TCP traffic";) Also take a look at sneeze at 
http://snort.sourceforge.net/sneeze-1.0.tar Sneeze is a false positive 
generator that reads snort signatures and generates packets that will 
trigger the rules.

I've tried this one but it send the tests so fast that snort will consider 
it as a port scan. May be you should disable the port scan preprocessor to 
really test the rules.


At 00:32 30/7/2002, twig les wrote:
>Any security scanner like nessus or whisker (which
>nessus uses).
>
>--- Cearns Angela <acearns at ...131...> wrote:
> > No, nothing is alerting. I don't know how to test a
> > lot of the rules. But I tried nmap, ping -l, and I'm
> > also testing the Stacheldraht attack, no alert. What
> > else can I try?
> >
> > but -l without -c snort.conf works.
> >
> > I've static ip for all my computers.
> >
> > Thanks,
> > Ang
> >
> >
> > --- John Sage <jsage at ...2022...> wrote:
> > > Angela:
> > >
> > > On Sat, Jul 27, 2002 at 08:18:20PM -0700, Cearns
> > > Angela wrote:
> > > > Hi I've 2 simple questions:
> > > >
> > > > 1. My snort alert was working fine for a while
> > and
> > > > stopped suddernly. It no longer logs port scan
> > > file to
> > > > my portscan.log in /var/log/snort...nor does it
> > > log
> > > > icmp large packets alert to my alert file in
> > > > /var/log/snort.
> > > > I'm using Red Hat Linux 7.3 2.4.18. and snort
> > > 1.8.6
> > >
> > > So, *nothing* is alerting at all, or just not
> > > portscans and icmp large
> > > packets?
> > >
> > > What sort of connectivity do you have?
> > >
> > > hmm..
> > >
> > > [toot at ...2057... /]# host 128.198.172.82
> > > 82.172.198.128.in-addr.arpa. domain name pointer
> > > multimedia.cs.uccs.edu.
> > >
> > > Do you have a new IP address assigned by DHCP
> > every
> > > so often?
> > >
> > >
> > > > I checked the snort.conf file and the homenet
> > was
> > > > configure correct (same as what I use for the -h
> > > > option on command line).
> > > >
> > > > When I run snort:
> > > > snort -dev -l /var/log/snort -h 192.168.0.2/16
> > -c
> > > > snort.conf
> > > >
> > > > It didn't raise any error and it reads in all
> > the
> > > > rules.
> > > >
> > > > When I run snort without the config file:
> > > > snort -dev -l /var/log/snort
> > > > - it accurately created the dest & source ip
> > > directory
> > > > log the packets into those directories
> > > >
> > > > Any idea where I should look into the problem?
> > > >
> > > > 2. After getting the alert working, I'd like to
> > > test
> > > > every single one of the rules in snort but I
> > don't
> > > > know the various type of intrusion very well. Is
> > > there
> > > > any test case available that can help me get
> > > start?
> > > > (e.g. run a nmap -sS....and the portscan alert
> > > will be
> > > > raise; run a ping ... and a xx alert will be
> > > rasie...)
> > >
> > > Many of the snort rules look for symptoms of
> > > specific exploits.
> > >
> > > You can't test for these without running a given
> > > exploit against your
> > > system.
> > >
> > > nmap will scan ports in various ways, but not test
> > > all snort rules, by
> > > any means.
> > >
> > > I'm not aware of any method to actually test each
> > > and every rule...
> > >
> > >
> > > HTH..
> > >
> > >
> > > - John
> > > --
> > > Why, yes, I talk to birds. I speak fluent finch.
> > >
> > > PGP key
> > > http://www.finchhaven.com/pages/gpg_pubkey.html
> > > Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0
> > 8E
> > > 0C D0 BE C8 38 CC B5
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Health - Feel better, live better
> > http://health.yahoo.com
> >
> >
> >
>-------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
>https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>=====
>-----------------------------------------------------------
>All warfare is based on deception.
>-----------------------------------------------------------
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Health - Feel better, live better
>http://health.yahoo.com
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: Dice - The leading online job board
>for high-tech professionals. Search and apply for tech jobs today!
>http://seeker.dice.com/seeker.epl?rel_code=31
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users


--

David Yip





More information about the Snort-users mailing list