[Snort-users] Installing Snort

Damien Hull dhull at ...15333...
Fri Jul 8 16:05:10 EDT 2011


Here's what I have in /usr/local/snort/rules...

total 10356
-rw-r--r-- 1 1210 1210   18236 Apr  4 17:59 <x-apple-data-detectors://1>
 VRT-License.txt
-rw-r--r-- 1 1210 1210    5463 Jun  7 16:35 attack-responses.rules
-rw-r--r-- 1 1210 1210  312012 Jun  7 16:35 backdoor.rules
-rw-r--r-- 1 1210 1210    1862 Jun  7 16:35 bad-traffic.rules
-rw-r--r-- 1 1210 1210  132557 Jun  7 16:35 blacklist.rules
-rw-r--r-- 1 1210 1210   49738 Jun  7 16:35 botnet-cnc.rules
-rw-r--r-- 1 1210 1210   20259 Jun  7 16:35 chat.rules
-rw-r--r-- 1 1210 1210    8642 Jun  7 16:35 content-replace.rules
-rw-r--r-- 1 1210 1210    8237 Jun  7 16:35 ddos.rules
-rw-r--r-- 1 1210 1210 5048660 Jun  7 16:35 deleted.rules
-rw-r--r-- 1 1210 1210   11722 Jun  7 16:35 dns.rules
-rw-r--r-- 1 1210 1210   25338 Jun  7 16:35 dos.rules
-rw-r--r-- 1 1210 1210    1327 May 16  2005 experimental.rules
-rw-r--r-- 1 1210 1210  147124 Jun  7 16:35 exploit.rules
-rw-r--r-- 1 1210 1210    4579 Jun  7 16:35 finger.rules
-rw-r--r-- 1 1210 1210   33901 Jun  7 16:35 ftp.rules
-rw-r--r-- 1 1210 1210   17265 Jun  7 16:35 icmp-info.rules
-rw-r--r-- 1 1210 1210    3756 Jun  7 16:35 icmp.rules
-rw-r--r-- 1 1210 1210   31824 Jun  7 16:35 imap.rules
-rw-r--r-- 1 1210 1210    1041 Jun  7 16:35 info.rules
-rw-r--r-- 1 1210 1210     199 Jun  7 16:35 local.rules
-rw-r--r-- 1 1210 1210   24059 Jun  7 16:35 misc.rules
-rw-r--r-- 1 1210 1210    7166 Jun  7 16:35 multimedia.rules
-rw-r--r-- 1 1210 1210   13845 Jun  7 16:35 mysql.rules
-rw-r--r-- 1 1210 1210  217140 Jun  7 16:35 netbios.rules
-rw-r--r-- 1 1210 1210    5804 Jun  7 16:35 nntp.rules
-rw-r--r-- 1 1210 1210    1246 Jun  7 16:35 open-test.conf
-rw-r--r-- 1 1210 1210  208849 Jun  7 16:35 oracle.rules
-rw-r--r-- 1 1210 1210    1490 Jun  7 16:35 other-ids.rules
-rw-r--r-- 1 1210 1210    6432 Jun  7 16:35 p2p.rules
-rw-r--r-- 1 1210 1210   56702 Jun  7 16:35 phishing-spam.rules
-rw-r--r-- 1 1210 1210   47381 Jun  7 16:35 policy.rules
-rw-r--r-- 1 1210 1210    1046 Jun  7 16:35 pop2.rules
-rw-r--r-- 1 1210 1210   15701 Jun  7 16:35 pop3.rules
-rw-r--r-- 1 1210 1210   91675 Jun  7 16:35 rpc.rules
-rw-r--r-- 1 1210 1210    3984 Jun  7 16:35 rservices.rules
-rw-r--r-- 1 1210 1210   42175 Jun  7 16:35 scada.rules
-rw-r--r-- 1 1210 1210    5307 Jun  7 16:35 scan.rules
-rw-r--r-- 1 1210 1210   13707 Jun  7 16:35 shellcode.rules
-rw-r--r-- 1 1210 1210   91705 Jun  7 16:35 smtp.rules
-rw-r--r-- 1 1210 1210    7250 Jun  7 16:35 snmp.rules
-rw-r--r-- 1 1210 1210  335177 Jun  7 16:35 specific-threats.rules
-rw-r--r-- 1 1210 1210  546411 Jun  7 16:35 spyware-put.rules
-rw-r--r-- 1 1210 1210   46695 Jun  7 16:35 sql.rules
-rw-r--r-- 1 1210 1210    7904 Jun  7 16:35 telnet.rules
-rw-r--r-- 1 1210 1210    6410 Jun  7 16:35 tftp.rules
-rw-r--r-- 1 1210 1210    1574 Jun  7 16:35 virus.rules
-rw-r--r-- 1 1210 1210   26552 Jun  7 16:35 voip.rules
-rw-r--r-- 1 1210 1210 1943280 Jun  7 16:35 web-activex.rules
-rw-r--r-- 1 1210 1210    1470 Jun  7 16:35 web-attacks.rules
-rw-r--r-- 1 1210 1210  119084 Jun  7 16:35 web-cgi.rules
-rw-r--r-- 1 1210 1210  264702 Jun  7 16:35 web-client.rules
-rw-r--r-- 1 1210 1210   14403 Jun  7 16:35 web-coldfusion.rules
-rw-r--r-- 1 1210 1210   12895 Jun  7 16:35 web-frontpage.rules
-rw-r--r-- 1 1210 1210   53052 Jun  7 16:35 web-iis.rules
-rw-r--r-- 1 1210 1210  221135 Jun  7 16:35 web-misc.rules
-rw-r--r-- 1 1210 1210   51100 Jun  7 16:35 web-php.rules
-rw-r--r-- 1 1210 1210    1891 Jun  7 16:35 x11.rules

On Jul 8, 2011, at 11:18 AM, Michael Lubinski <michael.lubinski at ...11827...>
wrote:

What is in the rules directory?

On Fri, Jul 8, 2011 at 2:09 PM, Damien Hull <dhull at ...15333...> wrote:

> I compiled snort for Ubuntu 10.04 following the instructions on the
> snort website. I installed the snort rules. Snort and barnyard2 start.
> There are snort files in /var/log/snort. However, there's nothing in
> the log files. The database doesn't contain any info.
>
> I did a port scan of the system. I'm assuming snort should pick that
> up. Again, nothing in the log files or in the database. I'm using
> snort report just like the documentation says.
>
> Can someone point me in some kind of direction? I must be missing
> something.
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110708/86cdc7d5/attachment.html>


More information about the Snort-users mailing list