[Snort-users] Snort but no alert

Nick Duda nduda at ...10466...
Wed May 12 10:49:06 EDT 2004


Is the rules path correct? /etc/snort/rules/xxxxx.rules , It seems the
only rules processing are the one statically assigned in the .conf file.
I would cleanup/rework the conf file a bit.

In your snort startup script, are you listening on the correct
interface? Try doing this:

/path/to/snort -i eth1 (then your other switches , like path to config
file and such). What is the output?

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
nyarlathothep at ...2470...
Sent: Wednesday, May 12, 2004 11:02 AM
To: snort-users
Subject: [Snort-users] Snort but no alert

Hello everyone, 
I'm still here with my problem.
I've a snort debian box that listen on an interface (eth1, without ip
address)
on the external net while is connected on eth0 to the internal net,
interface
that I use to read the data that Snort puts in the database.
The problem that I dont receive rules alerts, except for ICMP
destination
unreaceable, but only preprocessor alert, even when I try to scan the
box with
Nessus or NMap.
I hope that someone could help me,

(ps I've attach my conf file, all the rules are sselected)

Thanks,

Matteo

SNORT.CONF

var HOME_NET 10.1.0.0/24
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

var RULE_PATH /etc/snort/rules

preprocessor flow: stats_interval 0 hash 2

preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile apache ports {
80 8080
8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771

 
preprocessor bo   
 

                                          preprocessor telnet_decode

 

 

 

     preprocessor flow-portscan: talker-sliding-scale-factor 0.50
talker-fixed-threshold 30 talker-sliding-threshold 30
talker-sliding-window 20
talker-fixed-window 30 scoreboard-rows-talker 30000 server-watchnet
$HOME_NET
server-ignore-limit 200 server-rows 65535 server-learning-time 14400
server-scanner-limit 4 scanner-sliding-window 20
scanner-sliding-scale-factor
0.50 scanner-fixed-threshold 15 scanner-sliding-threshold 40
scanner-fixed-window 15 scoreboard-rows-scanner 30000 src-ignore-net
$HOME_NET
dst-ignore-net [10.0.0.0/30] alert-mode once output-mode msg
tcp-penalties on  
 

 

 

                          

output database: alert, postgresql, user=postgres dbname=snort
host=localhost  
                                          

include classification.config

                                                              include
reference.config

 

 

                                    

include $RULE_PATH/local.rules

                                                              include
$RULE_PATH/bad-traffic.rules

                                                      include
$RULE_PATH/exploit.rules
...



ALERT

[**] [1:485:2] ICMP Destination Unreachable (Communication
Administratively
Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
05/12-15:47:42.319644 193.207.171.97 -> 151.11.129.212
ICMP TTL:247 TOS:0x20 ID:47996 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
151.11.129.212:135 -> 172.133.197.74:2249
TCP TTL:254 TOS:0x40 ID:0 IpLen:20 DgmLen:40 DF
Seq: 0x0  Ack: 0x0
** END OF DUMP

[**] [121:4:1] Portscan detected from 200.191.164.142 Talker(fixed: 30
sliding:
30) Scanner(fixed: 0 sliding: 0) [**]
05/12-15:49:09.988413

[**] [121:4:1] Portscan detected from 192.168.150.2 Talker(fixed: 2
sliding: 30)
Scanner(fixed: 0 sliding: 0) [**]
05/12-15:50:39.821253

[**] [121:4:1] Portscan detected from 66.185.41.191 Talker(fixed: 30
sliding:
30) Scanner(fixed: 0 sliding: 0) [**]
05/12-15:52:53.437042

[**] [105:1:1] (spo_bo) Back Orifice Traffic detected [**]
05/12-15:53:38.001287 192.168.150.2:53239 -> 213.178.220.130:31337
UDP TTL:61 TOS:0x0 ID:22741 IpLen:20 DgmLen:46
Len: 18

[**] [105:1:1] (spo_bo) Back Orifice Traffic detected [**]
05/12-15:53:40.994216 192.168.150.2:53239 -> 213.178.220.130:31337
UDP TTL:61 TOS:0x0 ID:22742 IpLen:20 DgmLen:46
Len: 18

[**] [121:4:1] Portscan detected from 210.95.44.31 Talker(fixed: 30
sliding: 30)
Scanner(fixed: 0 sliding: 0) [**]
05/12-16:07:01.105576

[**] [1:487:2] ICMP Destination Unreachable (Communication with
Destination
Network is Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
05/12-16:07:27.486375 147.123.1.42 -> 213.178.220.1
ICMP TTL:62 TOS:0x0 ID:41603 IpLen:20 DgmLen:56
Type:3  Code:9  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED
NETWORK
FILTERED
** ORIGINAL DATAGRAM DUMP:
213.178.220.1:53 -> 69.50.179.2:60369
UDP TTL:61 TOS:0x0 ID:43291 IpLen:20 DgmLen:199
Len: 171
** END OF DUMP

[**] [1:487:2] ICMP Destination Unreachable (Communication with
Destination
Network is Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
05/12-16:07:42.725148 147.123.1.42 -> 213.178.220.1
ICMP TTL:62 TOS:0x0 ID:46666 IpLen:20 DgmLen:56
Type:3  Code:9  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED
NETWORK
FILTERED
** ORIGINAL DATAGRAM DUMP:
213.178.220.1:53 -> 69.50.179.14:46007
UDP TTL:61 TOS:0x0 ID:43292 IpLen:20 DgmLen:199
Len: 171
** END OF DUMP

[**] [121:4:1] Portscan detected from 69.44.61.30 Talker(fixed: 30
sliding: 30)
Scanner(fixed: 0 sliding: 0) [**]
05/12-16:23:58.282652

[**] [121:4:1] Portscan detected from 151.11.129.54 Talker(fixed: 30
sliding:
30) Scanner(fixed: 0 sliding: 0) [**]
05/12-16:28:50.508095






-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=dnemail3
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users





More information about the Snort-users mailing list