[Snort-users] Snort only alert about traffic with an specific IP

Berta Alcala berta83 at ...11827...
Fri May 30 04:12:39 EDT 2008

Thank you very much for your help.
I can not access to the switch I'm connected to, so I don't know how it is
configurated. I will try to get access to the switch.
I'm doing a degree essay at the University and the most important thing for
me is to know why something doesn't work, if the problem is the switch that
is enought for me. But what I really need to know is why some rules work and
why others don't.

If you use this rule, does it work for you? why not for me??

alert tcp $HOME_NET any -> any 1863 (msg:"CHAT MSN logout"; flags:PA+;
content:"OUT"; classtype:policy-violation; sid:1000009; rev:1;)

I have no problem with a rule to alert about MSN login, that is similar but
with content LoginTime" instead of "OUT"

Or this other one form info.rules ("INFO FTP no password", with sid:489,
works for me):

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login";
flow:from_server,established; content:"530 ";
pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:491; rev:8;)

There are many rules that don't work. I suppose the problem has to be in
snort.conf file.

2008/5/29 Jason Brvenik <jasonb at ...1935...>:

> Are you monitoring a span or mirror port?
> Berta Alcala wrote:
>> Hi,
>> I tried with this rule (only this rule, the rest were commented in
>> snort.conf):
>> alert tcp any any -> any any (msg:"TCP traffic";sid:1000011; rev:1;)
>> The only alerts registered are those which have my IP (source or
>> destination). Using Ethereal I only see traffic with my IP as source, or
>> destination, or broadcast traffic. I can not see a ping command between two
>> others PCs with Ethereal, neither with Snort (I attach a pcap file)
>> I have this information in snort.conf:
>> var HOME_NET <>
>> var EXTERNAL_NET any
>> Snort is installed as a Windows service with this command line:
>> snort /SERVICE /INSTALL -dev -c c:\Snort\etc\snort.conf -l c:\Snort\log
>> -i2
>> I use Windows XP+Snort 2.7+Base
>> Jason, How can I disable checksum?
>> 2008/5/27 Paul Schmehl <pschmehl_lists at ...14358... <mailto:
>> pschmehl_lists at ...14358...>>:
>>    Thousands of security professionals worldwide are using snort
>>    successfully. So, you can start with the safe assumption that the
>>    problem isn't snort.
>>    Whether or not snort alerts on traffic is entirely dependent upon
>>    two things:
>>    1) Traffic is passing the interface that snort is listening on
>>    2) You have snort properly configured to see that traffic.
>>    If you've convinced yourself, using Ethereal, that traffic *is*
>>    being seen on that interface, then that narrows the problem down to
>>    your configuration of snort.
>>    What have you defined $HOME_NET as?
>>    What have you defined $EXTERNAL_NET as?
>>    What rules have you enabled in snort.conf?
>>    What's your startup options for snort (what interface, where do you
>>    log, etc.)?
>>    To quickly see if snort is working at all, write a rule that looks
>>    for everything:
>>    alert ip any any -> any any (msg:"Testing for detection capability";
>>    sid:1000001; rev:1;)
>>    Don't even bother editing sid-msg.map.  All you care about is seeing
>>    that alerts are being generated.  Depending upon your traffic, this
>>    could generate a ton of alerts in short order, so be prepared to
>>    shut down snort before you get overwhelmed.
>>    What are you using to view the alerts?
>>    --    Paul Schmehl
>>    As if it wasn't already obvious,
>>    my opinions are my own and not
>>    those of my employer.
>> ------------------------------------------------------------------------
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> ------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080530/8e7861fb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: salida.log
Type: application/octet-stream
Size: 139762 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080530/8e7861fb/attachment.obj>

More information about the Snort-users mailing list