[Snort-users] Installing Snort

Damien Hull dhull at ...15333...
Fri Jul 8 16:28:22 EDT 2011


I have snort installed on a web server. It only needs to see incoming
attacks so that should be working. I double checked snort.conf rules and
found the port scan rule was commented out. Even after uncommenting that
rule it doesn't work.

Nothing shows up in /var/log/snort/snort or the snort report database. I'm
thinking something was left out of the instructions on snort.org. I double
checked my configuration several times.


On Jul 8, 2011, at 12:11 PM, Michael Lubinski <michael.lubinski at ...11827...>
wrote:

Is your snort sensor able to see the traffic? (span port, connected via a
hub?)
Are the rules uncommented in snort.conf?

On Fri, Jul 8, 2011 at 3:05 PM, Damien Hull <dhull at ...15333...> wrote:

> Here's what I have in /usr/local/snort/rules...
>
> total 10356
> -rw-r--r-- 1 1210 1210   18236 Apr  4 17:59 VRT-License.txt
> -rw-r--r-- 1 1210 1210    5463 Jun  7 16:35 attack-responses.rules
> -rw-r--r-- 1 1210 1210  312012 Jun  7 16:35 backdoor.rules
> -rw-r--r-- 1 1210 1210    1862 Jun  7 16:35 bad-traffic.rules
> -rw-r--r-- 1 1210 1210  132557 Jun  7 16:35 blacklist.rules
> -rw-r--r-- 1 1210 1210   49738 Jun  7 16:35 botnet-cnc.rules
> -rw-r--r-- 1 1210 1210   20259 Jun  7 16:35 chat.rules
> -rw-r--r-- 1 1210 1210    8642 Jun  7 16:35 content-replace.rules
> -rw-r--r-- 1 1210 1210    8237 Jun  7 16:35 ddos.rules
> -rw-r--r-- 1 1210 1210 5048660 Jun  7 16:35 deleted.rules
> -rw-r--r-- 1 1210 1210   11722 Jun  7 16:35 dns.rules
> -rw-r--r-- 1 1210 1210   25338 Jun  7 16:35 dos.rules
> -rw-r--r-- 1 1210 1210    1327 May 16  2005 experimental.rules
> -rw-r--r-- 1 1210 1210  147124 Jun  7 16:35 exploit.rules
> -rw-r--r-- 1 1210 1210    4579 Jun  7 16:35 finger.rules
> -rw-r--r-- 1 1210 1210   33901 Jun  7 16:35 ftp.rules
> -rw-r--r-- 1 1210 1210   17265 Jun  7 16:35 icmp-info.rules
> -rw-r--r-- 1 1210 1210    3756 Jun  7 16:35 icmp.rules
> -rw-r--r-- 1 1210 1210   31824 Jun  7 16:35 imap.rules
> -rw-r--r-- 1 1210 1210    1041 Jun  7 16:35 info.rules
> -rw-r--r-- 1 1210 1210     199 Jun  7 16:35 local.rules
> -rw-r--r-- 1 1210 1210   24059 Jun  7 16:35 misc.rules
> -rw-r--r-- 1 1210 1210    7166 Jun  7 16:35 multimedia.rules
> -rw-r--r-- 1 1210 1210   13845 Jun  7 16:35 mysql.rules
> -rw-r--r-- 1 1210 1210  217140 Jun  7 16:35 netbios.rules
> -rw-r--r-- 1 1210 1210    5804 Jun  7 16:35 nntp.rules
> -rw-r--r-- 1 1210 1210    1246 Jun  7 16:35 open-test.conf
> -rw-r--r-- 1 1210 1210  208849 Jun  7 16:35 oracle.rules
> -rw-r--r-- 1 1210 1210    1490 Jun  7 16:35 other-ids.rules
> -rw-r--r-- 1 1210 1210    6432 Jun  7 16:35 p2p.rules
> -rw-r--r-- 1 1210 1210   56702 Jun  7 16:35 phishing-spam.rules
> -rw-r--r-- 1 1210 1210   47381 Jun  7 16:35 policy.rules
> -rw-r--r-- 1 1210 1210    1046 Jun  7 16:35 pop2.rules
> -rw-r--r-- 1 1210 1210   15701 Jun  7 16:35 pop3.rules
> -rw-r--r-- 1 1210 1210   91675 Jun  7 16:35 rpc.rules
> -rw-r--r-- 1 1210 1210    3984 Jun  7 16:35 rservices.rules
> -rw-r--r-- 1 1210 1210   42175 Jun  7 16:35 scada.rules
> -rw-r--r-- 1 1210 1210    5307 Jun  7 16:35 scan.rules
> -rw-r--r-- 1 1210 1210   13707 Jun  7 16:35 shellcode.rules
> -rw-r--r-- 1 1210 1210   91705 Jun  7 16:35 smtp.rules
> -rw-r--r-- 1 1210 1210    7250 Jun  7 16:35 snmp.rules
> -rw-r--r-- 1 1210 1210  335177 Jun  7 16:35 specific-threats.rules
> -rw-r--r-- 1 1210 1210  546411 Jun  7 16:35 spyware-put.rules
> -rw-r--r-- 1 1210 1210   46695 Jun  7 16:35 sql.rules
> -rw-r--r-- 1 1210 1210    7904 Jun  7 16:35 telnet.rules
> -rw-r--r-- 1 1210 1210    6410 Jun  7 16:35 tftp.rules
> -rw-r--r-- 1 1210 1210    1574 Jun  7 16:35 virus.rules
> -rw-r--r-- 1 1210 1210   26552 Jun  7 16:35 voip.rules
> -rw-r--r-- 1 1210 1210 1943280 Jun  7 16:35 web-activex.rules
> -rw-r--r-- 1 1210 1210    1470 Jun  7 16:35 web-attacks.rules
> -rw-r--r-- 1 1210 1210  119084 Jun  7 16:35 web-cgi.rules
> -rw-r--r-- 1 1210 1210  264702 Jun  7 16:35 web-client.rules
> -rw-r--r-- 1 1210 1210   14403 Jun  7 16:35 web-coldfusion.rules
> -rw-r--r-- 1 1210 1210   12895 Jun  7 16:35 web-frontpage.rules
> -rw-r--r-- 1 1210 1210   53052 Jun  7 16:35 web-iis.rules
> -rw-r--r-- 1 1210 1210  221135 Jun  7 16:35 web-misc.rules
> -rw-r--r-- 1 1210 1210   51100 Jun  7 16:35 web-php.rules
> -rw-r--r-- 1 1210 1210    1891 Jun  7 16:35 x11.rules
>
> On Jul 8, 2011, at 11:18 AM, Michael Lubinski <michael.lubinski at ...11827...>
> wrote:
>
> What is in the rules directory?
>
> On Fri, Jul 8, 2011 at 2:09 PM, Damien Hull < <dhull at ...15333...>
> dhull at ...15333...> wrote:
>
>> I compiled snort for Ubuntu 10.04 following the instructions on the
>> snort website. I installed the snort rules. Snort and barnyard2 start.
>> There are snort files in /var/log/snort. However, there's nothing in
>> the log files. The database doesn't contain any info.
>>
>> I did a port scan of the system. I'm assuming snort should pick that
>> up. Again, nothing in the log files or in the database. I'm using
>> snort report just like the documentation says.
>>
>> Can someone point me in some kind of direction? I must be missing
>> something.
>>
>>
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>>  <http://p.sf.net/sfu/splunk-d2d-c2>http://p.sf.net/sfu/splunk-d2d-c2
>> _______________________________________________
>> Snort-users mailing list
>>  <Snort-users at lists.sourceforge.net>Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>>  <https://lists.sourceforge.net/lists/listinfo/snort-users>
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>>  <http://www.geocrawler.com/redir-sf.php3?list=snort-users>
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please see <http://www.snort.org/docs>http://www.snort.org/docs for
>> documentation
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110708/f639f3a8/attachment.html>


More information about the Snort-users mailing list