[Snort-users] Installing Snort

Martin Holste mcholste at ...11827...
Fri Jul 8 17:32:36 EDT 2011


End snort and look at the stats to be sure it inspected packets.
Also, beware of the discarded packets due to bad checksum.  I run with
"config checksum_mode: none" to avoid problems.

On Fri, Jul 8, 2011 at 3:28 PM, Damien Hull <dhull at ...15333...> wrote:
> I have snort installed on a web server. It only needs to see incoming
> attacks so that should be working. I double checked snort.conf rules and
> found the port scan rule was commented out. Even after uncommenting that
> rule it doesn't work.
> Nothing shows up in /var/log/snort/snort or the snort report database. I'm
> thinking something was left out of the instructions on snort.org. I double
> checked my configuration several times.
>
> On Jul 8, 2011, at 12:11 PM, Michael Lubinski <michael.lubinski at ...14459.....>
> wrote:
>
> Is your snort sensor able to see the traffic? (span port, connected via a
> hub?)
> Are the rules uncommented in snort.conf?
>
> On Fri, Jul 8, 2011 at 3:05 PM, Damien Hull <dhull at ...15333...> wrote:
>>
>> Here's what I have in /usr/local/snort/rules...
>> total 10356
>> -rw-r--r-- 1 1210 1210   18236 Apr  4 17:59 VRT-License.txt
>> -rw-r--r-- 1 1210 1210    5463 Jun  7 16:35 attack-responses.rules
>> -rw-r--r-- 1 1210 1210  312012 Jun  7 16:35 backdoor.rules
>> -rw-r--r-- 1 1210 1210    1862 Jun  7 16:35 bad-traffic.rules
>> -rw-r--r-- 1 1210 1210  132557 Jun  7 16:35 blacklist.rules
>> -rw-r--r-- 1 1210 1210   49738 Jun  7 16:35 botnet-cnc.rules
>> -rw-r--r-- 1 1210 1210   20259 Jun  7 16:35 chat.rules
>> -rw-r--r-- 1 1210 1210    8642 Jun  7 16:35 content-replace.rules
>> -rw-r--r-- 1 1210 1210    8237 Jun  7 16:35 ddos.rules
>> -rw-r--r-- 1 1210 1210 5048660 Jun  7 16:35 deleted.rules
>> -rw-r--r-- 1 1210 1210   11722 Jun  7 16:35 dns.rules
>> -rw-r--r-- 1 1210 1210   25338 Jun  7 16:35 dos.rules
>> -rw-r--r-- 1 1210 1210    1327 May 16  2005 experimental.rules
>> -rw-r--r-- 1 1210 1210  147124 Jun  7 16:35 exploit.rules
>> -rw-r--r-- 1 1210 1210    4579 Jun  7 16:35 finger.rules
>> -rw-r--r-- 1 1210 1210   33901 Jun  7 16:35 ftp.rules
>> -rw-r--r-- 1 1210 1210   17265 Jun  7 16:35 icmp-info.rules
>> -rw-r--r-- 1 1210 1210    3756 Jun  7 16:35 icmp.rules
>> -rw-r--r-- 1 1210 1210   31824 Jun  7 16:35 imap.rules
>> -rw-r--r-- 1 1210 1210    1041 Jun  7 16:35 info.rules
>> -rw-r--r-- 1 1210 1210     199 Jun  7 16:35 local.rules
>> -rw-r--r-- 1 1210 1210   24059 Jun  7 16:35 misc.rules
>> -rw-r--r-- 1 1210 1210    7166 Jun  7 16:35 multimedia.rules
>> -rw-r--r-- 1 1210 1210   13845 Jun  7 16:35 mysql.rules
>> -rw-r--r-- 1 1210 1210  217140 Jun  7 16:35 netbios.rules
>> -rw-r--r-- 1 1210 1210    5804 Jun  7 16:35 nntp.rules
>> -rw-r--r-- 1 1210 1210    1246 Jun  7 16:35 open-test.conf
>> -rw-r--r-- 1 1210 1210  208849 Jun  7 16:35 oracle.rules
>> -rw-r--r-- 1 1210 1210    1490 Jun  7 16:35 other-ids.rules
>> -rw-r--r-- 1 1210 1210    6432 Jun  7 16:35 p2p.rules
>> -rw-r--r-- 1 1210 1210   56702 Jun  7 16:35 phishing-spam.rules
>> -rw-r--r-- 1 1210 1210   47381 Jun  7 16:35 policy.rules
>> -rw-r--r-- 1 1210 1210    1046 Jun  7 16:35 pop2.rules
>> -rw-r--r-- 1 1210 1210   15701 Jun  7 16:35 pop3.rules
>> -rw-r--r-- 1 1210 1210   91675 Jun  7 16:35 rpc.rules
>> -rw-r--r-- 1 1210 1210    3984 Jun  7 16:35 rservices.rules
>> -rw-r--r-- 1 1210 1210   42175 Jun  7 16:35 scada.rules
>> -rw-r--r-- 1 1210 1210    5307 Jun  7 16:35 scan.rules
>> -rw-r--r-- 1 1210 1210   13707 Jun  7 16:35 shellcode.rules
>> -rw-r--r-- 1 1210 1210   91705 Jun  7 16:35 smtp.rules
>> -rw-r--r-- 1 1210 1210    7250 Jun  7 16:35 snmp.rules
>> -rw-r--r-- 1 1210 1210  335177 Jun  7 16:35 specific-threats.rules
>> -rw-r--r-- 1 1210 1210  546411 Jun  7 16:35 spyware-put.rules
>> -rw-r--r-- 1 1210 1210   46695 Jun  7 16:35 sql.rules
>> -rw-r--r-- 1 1210 1210    7904 Jun  7 16:35 telnet.rules
>> -rw-r--r-- 1 1210 1210    6410 Jun  7 16:35 tftp.rules
>> -rw-r--r-- 1 1210 1210    1574 Jun  7 16:35 virus.rules
>> -rw-r--r-- 1 1210 1210   26552 Jun  7 16:35 voip.rules
>> -rw-r--r-- 1 1210 1210 1943280 Jun  7 16:35 web-activex.rules
>> -rw-r--r-- 1 1210 1210    1470 Jun  7 16:35 web-attacks.rules
>> -rw-r--r-- 1 1210 1210  119084 Jun  7 16:35 web-cgi.rules
>> -rw-r--r-- 1 1210 1210  264702 Jun  7 16:35 web-client.rules
>> -rw-r--r-- 1 1210 1210   14403 Jun  7 16:35 web-coldfusion.rules
>> -rw-r--r-- 1 1210 1210   12895 Jun  7 16:35 web-frontpage.rules
>> -rw-r--r-- 1 1210 1210   53052 Jun  7 16:35 web-iis.rules
>> -rw-r--r-- 1 1210 1210  221135 Jun  7 16:35 web-misc.rules
>> -rw-r--r-- 1 1210 1210   51100 Jun  7 16:35 web-php.rules
>> -rw-r--r-- 1 1210 1210    1891 Jun  7 16:35 x11.rules
>> On Jul 8, 2011, at 11:18 AM, Michael Lubinski <michael.lubinski at ...13704......>
>> wrote:
>>
>> What is in the rules directory?
>>
>> On Fri, Jul 8, 2011 at 2:09 PM, Damien Hull <dhull at ...15333...> wrote:
>>>
>>> I compiled snort for Ubuntu 10.04 following the instructions on the
>>> snort website. I installed the snort rules. Snort and barnyard2 start.
>>> There are snort files in /var/log/snort. However, there's nothing in
>>> the log files. The database doesn't contain any info.
>>>
>>> I did a port scan of the system. I'm assuming snort should pick that
>>> up. Again, nothing in the log files or in the database. I'm using
>>> snort report just like the documentation says.
>>>
>>> Can someone point me in some kind of direction? I must be missing
>>> something.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> All of the data generated in your IT infrastructure is seriously
>>> valuable.
>>> Why? It contains a definitive record of application performance, security
>>> threats, fraudulent activity, and more. Splunk takes this data and makes
>>> sense of it. IT sense. And common sense.
>>> http://p.sf.net/sfu/splunk-d2d-c2
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please see http://www.snort.org/docs for documentation
>>
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>




More information about the Snort-users mailing list