[Snort-users] Help to run snort on linux machine

Alex Kirk akirk at ...1935...
Tue Mar 2 09:34:51 EST 2010


OK, even sillier follow-up - my apologies for replying before morning
coffee.

Snot is a stateless packet generator - i.e. it sends packets without
establishing a proper 3-way TCP handshake first. While that's handy for
annoying old versions of Snort, before the stream preprocessor (and
potentially hosing up poorly-written TCP stacks), destination machines will
never receive TCP packets outside of a valid session, and so Snort just
quietly drops them. Since virtually all of our TCP-based rules require an
established TCP session anyway, it makes perfect sense that you're not
getting any alerts.

If you need to test Snort, I would suggest looking for a different source of
traffic. Wireshark's packet capture library has some cool stuff, and you can
of course generate your own traffic as well.

On Tue, Mar 2, 2010 at 6:42 AM, sri harsha <harsha536 at ...11827...> wrote:

> Hi,
>     I am not able to detect attack packets using snort on linux PC. I
> installed snort 2.8.5.1 on a linux PC. I'm using default configuration of
> snort.conf. I'm sending attack packets from another linux machine with
> destination as the snort installed PC. I'm using snot tool to send attack
> packets. I observed the following alert message on the snort PC, when i sent
> attack-response packets.
>
> [**] [128:4:1] (spp_ssh) Protocol mismatch [**]
> [Priority: 3]
> 03/02-11:00:08.532684 76.0.0.10:22 -> 4.4.4.10:49062
> TCP TTL:197 TOS:0x0 ID:5234 IpLen:20 DgmLen:763
> 1*U*P*S* Seq: 0xA34D20A2  Ack: 0x97C04470  Win: 0x4B58  TcpLen: 20  UrgPtr:
> 0x87D9
>
> [**] [122:1:0] (portscan) TCP Portscan [**]
> [Priority: 3]
> 03/02-11:00:08.532692 4.4.4.10 -> 76.0.0.10
> PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:155 DF
>
> [**] [128:4:1] (spp_ssh) Protocol mismatch [**]
> [Priority: 3]
> 03/02-11:00:14.590679 76.0.0.10:22 -> 4.4.4.10:17509
> TCP TTL:83 TOS:0x0 ID:50679 IpLen:20 DgmLen:406
> 1****RSF Seq: 0xD5A78410  Ack: 0xBE5E0E08  Win: 0x39F5  TcpLen: 20
>
> [**] [128:4:1] (spp_ssh) Protocol mismatch [**]
> [Priority: 3]
> 03/02-11:00:17.620154 76.0.0.10:22 -> 4.4.4.10:37210
> TCP TTL:252 TOS:0x0 ID:21173 IpLen:20 DgmLen:483
> 12U*P*S* Seq: 0xDB2FE072  Ack: 0x32A91A5C  Win: 0x8447  TcpLen: 20  UrgPtr:
> 0xEE86
>
>
> Do i need to make any changes in the configuration of snort.conf? Thanks
> for any help in advance.
>
> Thanks,
> Sriharsha
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100302/1e85037c/attachment.html>


More information about the Snort-users mailing list