[Snort-users] I don't see no porn

bofh goodb0fh at ...11827...
Thu Aug 12 15:26:04 EDT 2004


Hi,

Basic install of snort from openbsd 3.5's port collection, snort 2.0.0.
Rules are the ones I downloaded today, Aug 12, 2004.
After installing it, I run it with the following comand line:

% snort -A fast -c /etc/snort.conf -I -D

/etc/snort.conf is default, with the following changes:

var RULE_PATH /etc/snort/rules
include /etc/snort/classification.config
include /etc/snort/reference.config
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/virus.rules

I then hop over to another machine on the same hub, and google
for "nude cheerleader".

Why is snort not catching any nude cheerleaders?  

snort creates /var/log/snort/alert, but it stays empty.

It sees the traffic though, because, if I do a:

% snort -v host 192.168.11.134 and port 3128

I get a whole bunch of

08/12-17:22:39.394159 192.168.11.134:4510 -> 192.168.11.253:3128
TCP TTL:128 TOS:0x0 ID:23551 IpLen:20 DgmLen:48 DF
******S* Seq: 0xF304593D  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/12-17:22:39.394238 192.168.11.253:3128 -> 192.168.11.134:4510
TCP TTL:64 TOS:0x0 ID:6284 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x25D4274  Ack: 0xF304593E  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/12-17:22:39.394410 192.168.11.134:4510 -> 192.168.11.253:3128
TCP TTL:128 TOS:0x0 ID:23552 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xF304593E  Ack: 0x25D4275  Win: 0xFFFF  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

and when I Ctrl-C out of snort, I get:

Snort analyzed 545 out of 545 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 27         (4.954%)          ALERTS: 0
    UDP: 0          (0.000%)          LOGGED: 0
   ICMP: 0          (0.000%)          PASSED: 0
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
===============================================================================
Wireless Stats:
Breakdown by type:
    Management Packets: 0          (0.000%)
    Control Packets:    0          (0.000%)
    Data Packets:       0          (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
    Fragment Trackers: 0
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 0
  Frag2 memory faults: 0
===============================================================================
TCP Stream Reassembly Stats:
        TCP Packets Used: 0          (0.000%)
         Stream Trackers: 0
          Stream flushes: 0
           Segments used: 0
   Stream4 Memory Faults: 0
===============================================================================
Snort exiting

Thanx.




More information about the Snort-users mailing list