[Snort-users] Snort doesn't detect any kind of TCP traffic

Carlo Manuali carlo at ...14042...
Thu Jan 18 10:50:58 EST 2007


Hi to all.
(excuse me if it's a duplicate message).
I'd like to receive your help with this error that make me crazy.
I've installed snort on a dual homed host, with ip addresses on the form:
eth0 - 192.168.199.5 on 192.168.199.0/24 net
eth1 - 192.168.198.143 on 192.168.198.0/24 net
I use eth0 for admin purposes and with eth1 I monitor all 
192.168.198.0/24 traffic
(I'm using a monitoring port of a 3com switch).
All seems to be ok, with tcpdump or snort (in sniffer mode) I see 
that traffic on the console without any problem.
The database logging seems to works fine and I don't receive any 
relevant error during snort startup.
Also I've defined:
var eth1_ADDRESS [192.168.198.143/32]
var HOME_NET $eth1_ADDRESS
var EXTERNAL_NET any

--> The problem is that I only receive that kinds of alerts (plus 
sometimes some UDP message) !!
(I see them by BASE software):

<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=sig_a>< 
Signature 
<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=sig_d>> 
<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=class_a>< 
Classification 
<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=class_d>> 
<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=occur_a>< 
Total # 
<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=occur_d>> 
Sensor 
# 
<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=saddr_a>< 
Source Address 
<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=saddr_d>> 
<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=daddr_a>< 
Dest. Address 
<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=daddr_d>> 
<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=first_a>< 
First 
<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=first_d>> 
<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=last_a>< 
Last 
<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=last_d>> 

ICMP Destination Unreachable Communication Administratively 
Prohibited misc-activity 
<http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=7&sig_type=1&submit=Query+DB&num_result_rows=-1>15(0%) 
<http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=7&sig_type=1>1 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=7>2 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=7>6 
2006-12-15 11:33:52 2007-01-15 09:01:24
ICMP Destination Unreachable Communication with Destination Host is 
Administratively Prohibited misc-activity 
<http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=2&sig_type=1&submit=Query+DB&num_result_rows=-1>8084(19%) 
<http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=2&sig_type=1>1 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=2>2 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=2>33 
2006-12-14 13:24:03 2007-01-11 10:13:37
[ICMP Echo Reply misc-activity 
<http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=9&sig_type=1&submit=Query+DB&num_result_rows=-1>2(0%) 
<http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=9&sig_type=1>1 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=9>1 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=9>1 
2007-01-11 10:00:10 2007-01-11 10:00:11
ICMP PING misc-activity 
<http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=5&sig_type=1&submit=Query+DB&num_result_rows=-1>16(0%) 
<http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=5&sig_type=1>1 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=5>4 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=5>1 
2007-01-08 10:36:40 2007-01-08 11:14:02
(portscan) ICMP Filtered Sweep unclassified 
<http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=16&sig_type=1&submit=Query+DB&num_result_rows=-1>1(0%) 
<http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=16&sig_type=1>1 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=16>1 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=16>1 
2006-12-15 13:33:02 2006-12-15 13:33:02
ICMP Destination Unreachable Communication with Destination Host is 
Administratively Prohibited misc-activity 
<http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=2&sig_type=1&submit=Query+DB&num_result_rows=-1>3148(8%) 
<http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=2&sig_type=1>1 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=2>2 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=2>16 
2006-12-11 14:48:23 2006-12-14 16:56:14
ICMP PING misc-activity 
<http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=5&sig_type=1&submit=Query+DB&num_result_rows=-1>48(0%) 
<http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=5&sig_type=1>1 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=5>4 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=5>5 
2006-12-11 22:17:22 2006-12-14 12:02:17
ICMP L3retriever Ping attempted-recon 
<http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=4&sig_type=1&submit=Query+DB&num_result_rows=-1>41(0%) 
<http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=4&sig_type=1>1 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=4>2 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=4>2 
2006-12-11 22:17:22 2006-12-14 12:02:17
ICMP Destination Unreachable Host Unreachable misc-activity 
<http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=1&sig_type=1&submit=Query+DB&num_result_rows=-1>30046(72%) 
<http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=1&sig_type=1>1 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=1>2 
<http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=1>4 
2006-12-11 14:39:16 2006-12-14 10:52:48

I have many rules defined and I writed my own rules also,
but I cant' see any kind of alerts about TCP traffic, and not any 
rules defined matches.
As example (my own rule for ssh):

----------------------------------------------------------------------------------------
# cat /etc/snort/rules/unipg.rules
alert tcp any any -> any 22 (flags:S; msg:"ssh connection";)
alert tcp any any -> any 22 \
         (\
                 msg: "BETA Vulnerable SSH-2 Connection" ;\
                 flags: PA ;\
                 content: "SSH-2" ;\
          )
----------------------------------------------------------------------------------------

Furthermore, not any built-in rules matches!

Where I'm wrong?
Any ideas?
thank you very much in advance.
Regards,
--Carlo


_________________________________________________________________________

   Dott. Carlo Manuali - carlo at ...14042...
   Responsabile Sicurezza Informatica

   Ripartizione Servizi Informatici e Statistici - University of 
Perugia
   Piazza dell'Universita' 1, 06123 - Perugia (PG), Italy
   Web:  http://www.unipg.it/carlo
   Tel:  +390755852370
   Fax:  +390755855180
_________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070118/84412464/attachment.html>


More information about the Snort-users mailing list