[Snort-users] Help to run snort on linux machine

Alex Kirk akirk at ...1935...
Tue Mar 2 09:09:09 EST 2010


Silly question, do you have any rules enabled? They don't come with a
default install of Snort these days, you have to go fetch them as a separate
package.

Also, since you just barely installed, you should be using 2.8.5.3, the
current version, instead of 2.8.5.1.

On Tue, Mar 2, 2010 at 6:42 AM, sri harsha <harsha536 at ...11827...> wrote:

> Hi,
>     I am not able to detect attack packets using snort on linux PC. I
> installed snort 2.8.5.1 on a linux PC. I'm using default configuration of
> snort.conf. I'm sending attack packets from another linux machine with
> destination as the snort installed PC. I'm using snot tool to send attack
> packets. I observed the following alert message on the snort PC, when i sent
> attack-response packets.
>
> [**] [128:4:1] (spp_ssh) Protocol mismatch [**]
> [Priority: 3]
> 03/02-11:00:08.532684 76.0.0.10:22 -> 4.4.4.10:49062
> TCP TTL:197 TOS:0x0 ID:5234 IpLen:20 DgmLen:763
> 1*U*P*S* Seq: 0xA34D20A2  Ack: 0x97C04470  Win: 0x4B58  TcpLen: 20  UrgPtr:
> 0x87D9
>
> [**] [122:1:0] (portscan) TCP Portscan [**]
> [Priority: 3]
> 03/02-11:00:08.532692 4.4.4.10 -> 76.0.0.10
> PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:155 DF
>
> [**] [128:4:1] (spp_ssh) Protocol mismatch [**]
> [Priority: 3]
> 03/02-11:00:14.590679 76.0.0.10:22 -> 4.4.4.10:17509
> TCP TTL:83 TOS:0x0 ID:50679 IpLen:20 DgmLen:406
> 1****RSF Seq: 0xD5A78410  Ack: 0xBE5E0E08  Win: 0x39F5  TcpLen: 20
>
> [**] [128:4:1] (spp_ssh) Protocol mismatch [**]
> [Priority: 3]
> 03/02-11:00:17.620154 76.0.0.10:22 -> 4.4.4.10:37210
> TCP TTL:252 TOS:0x0 ID:21173 IpLen:20 DgmLen:483
> 12U*P*S* Seq: 0xDB2FE072  Ack: 0x32A91A5C  Win: 0x8447  TcpLen: 20  UrgPtr:
> 0xEE86
>
>
> Do i need to make any changes in the configuration of snort.conf? Thanks
> for any help in advance.
>
> Thanks,
> Sriharsha
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100302/85eaa5e5/attachment.html>


More information about the Snort-users mailing list