[Snort-users] FW: (reality check)Solved(i think):OpenBSD 3.4 snort--X-->mysql alerts now being generated

Jacob, Raymond A Jr raymond.jacob at ...7622...
Fri Apr 23 16:08:05 EDT 2004


Sent: Friday, April 23, 2004 19:04
Subject: re:(reality check)Solved(i think):OpenBSD 3.4 snort--X-->mysql
alerts now being generated


Question: Why are there no alerts being generated?
Answer I think:
Looking at my previous post:
breakdown by protocol:                Action Stats:
    TCP: 0          (0.000%)          ALERTS: 0 
    UDP: 9          (3.409%)          LOGGED: 0 
   ICMP: 0          (0.000%)          PASSED: 0 
    ARP: 255        (96.591%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)

  I noticed a lot of ARPs and a little UDP(netbois I am guessing since the laptop is runing Win2k).
I realized that the reason I was not receiving any alerts was that
the only system on this test network with an ip address is the laptop(with no gateway configured)running nmap.
The bridge interface does not have an ip address. Consequently, when I connected the cross connected cable
to an interface with an ip address and ran nmap against the ip address associated with this interface, alerts
were sent to the snort database and acid displayed the alerts.
In the case where the laptop was connected to an interface with no IP address,since there is no 
valid (i.e.00-00-00-00-00-00) response to the ARP request for a host(s) on the network, the laptop(running nmap)
can not send malicious packet(s) to any system on the network because it has no MAC address for the
system being attacked. Running a scan from the laptop connected to the bridge and
checking the arp cache on the laptop revealed there were no valid entries in the arp cache.

Question:I assume in order for snort to detect alerts from NMAP there must be at least two systems with ip addresses
on the network or the vulnerablity scanner must have a static MAC address in its arp cache in order to
send packets to the snort box on the network?

Question: if I were to put a static MAC address in the arp cache for the a host that 
nmap will scan against, would I see alerts from the bridge interface with no ip address?


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
snort-users-request at lists.sourceforge.net
S
Message: 5
Date: Thu, 22 Apr 2004 12:33:17 -0400
From: "Jacob, Raymond A Jr" <raymond.jacob at ...7622...>
To: <snort-users at lists.sourceforge.net>
Subject: [Snort-users] OpenBSD 3.4 snort--X-->mysql not working and I don't see any errors on startup

Question: Why are no alerts being generated?
(I appologize in advance for long message.)

References:
(1)http://openbsddiary.org/index.php?page=3Dsnort#ConfigMySQL (not used)
(2) =
http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_faq.html#faq_b1=

(3) http://archives.neohapsis.com/archives/snort/2000-06/0181.html =
(used)

Lab equipment:
1. Windows laptop w/NMAP
2. OpenBSD 3.4 on intel w/snort, mysql,acid(and associated software to =
make acid run)
3. One cross connected twisted pair cable between 1.(laptop) and 2.(one =
port:ethernet1 on OpenBSD Bridge )

Procedure:
1. (OpenBSD)configure bridging on OpenBSD to monitor two(2) networks =
running one instance of=20
snort.
2. start snort in sniffer mode:
/usr/local/bin/snort -dev -i bridge0
[block nonip, block outbound traffic to lans connected to bridge,allow =
ip traffic in]
3. (laptop)start nmap up run syn scan.
Results:snort dumps traffic to screen.
4. start snort:
/usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -D > /dev/null =
& echo -n ' snort'
5. (laptop)start nmap up run syn scan.
Results: database does not grow in size and alerts file is empty.
6.kill snort and run from the command line.
 /usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -o -N
[See: Script started on Wed Apr 21 18:24:42 2004 for screen dump]
Results: database does not grow in size and alerts file is empty.
Notice alot of arps. Probably because laptop is the only system
on this net with an ip address.

Question: Why are no alerts being generated?

Data:
Script started on Wed Apr 21 18:24:42 2004

machine1# /usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -o -N
Running in IDS mode
Log directory =3D /var/log/snort

Initializing Network Interface bridge0
OpenPcap() device bridge0 network lookup:
        bridge0: no IPv4 address assigned

        --Initializing Snort --
Rule application order changed to Pass->Alert->Log
Initializing Output Plugins!
Decoding Ethernet on interface bridge0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
Rule application order: ->pass->activation->dynamic->alert->log

        -- Initialization Complete --

-*> Snort! <*-
Version 2.1.2 (Build 25)
By Martin Roesch (roesch at ...1935..., www.snort.org)
^C

Snort analyzed 264 out of 264 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 0          (0.000%)          ALERTS: 0 
    UDP: 9          (3.409%)          LOGGED: 0 
   ICMP: 0          (0.000%)          PASSED: 0 
    ARP: 255        (96.591%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
.....
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.159130)/blocks (16686/3) =
Overhead blocks: 1 Could Hold: (73326)
IPV4 count: 2 frees: 0 low_time: 1082587587, high_time: 1082587588, =
diff: 0h:00:01s
    finds: 9 reversed: 0(%0.000000)=20
    find_sucess: 7 find_fail: 2 percent_success: (%77.777778) new_flows: =
2
 Protocol: 17 (%100.000000) finds: 9  reversed: 0(%0.000000)=20
  find_sucess: 7 find_fail: 2 percent_success: (%77.777778) new_flows: 2
database: Closing connection to database ""
Snort exiting
machine1# exit




More information about the Snort-users mailing list