[Snort-users] Installing Snort

Damien Hull dhull at ...15333...
Fri Jul 8 20:34:19 EDT 2011


It works!

Port scanning is not the way to test snort. Turns out port scans don't get
logged the same as other forms of attacks. I found some instructions on
testing with web access. That set of an alert when I tried to visit my
website.

Thanks for the help.

On Jul 8, 2011, at 1:21 PM, Michael Lubinski <michael.lubinski at ...11827...>
wrote:

If the sfportscan preprocessor is configured
On Jul 8, 2011 4:18 PM, "Damien Hull" <dhull at ...15333...> wrote:
> I double checked and that's a typo in the email. Just for fun I retyped
> everything in /etc/rc.local. Still not getting anything in the log file. I
> even recompiled snort.
>
> I'm assuming a port scan will show up in a log file somewhere.
>
> On Jul 8, 2011, at 12:52 PM, Michael Lubinski <michael.lubinski at ...11827...>
> wrote:
>
> Typo on "gen-smg.map" or copy typo?
>
> On Fri, Jul 8, 2011 at 3:52 PM, Damien Hull <dhull at ...15333...> wrote:
>
>> in /etc/rc.local I have the following...
>>
>> /usr/local/snort/bin/snort -D -u snort -g snort \
>> -c /usr/local/snort/etc/snort.conf -i eth0
>>
>> /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf \
>> -G /usr/local/snort/etc/gen-smg.map \
>> -S /usr/local/snort/etc/sid-msg.map \
>> -d /var/log/snort \
>> -f snort.u2 \
>> -w /var/log/snort/barnyard2.waldo \
>> -D
>>
>> On Jul 8, 2011, at 12:43 PM, Michael Lubinski <michael.lubinski at ...11827...
>
>> wrote:
>>
>> what's your syntax for starting snort?
>>
>> On Fri, Jul 8, 2011 at 3:28 PM, Damien Hull < <dhull at ...15333...>
>> dhull at ...15333...> wrote:
>>
>>> I have snort installed on a web server. It only needs to see incoming
>>> attacks so that should be working. I double checked snort.conf rules and
>>> found the port scan rule was commented out. Even after uncommenting that
>>> rule it doesn't work.
>>>
>>> Nothing shows up in /var/log/snort/snort or the snort report database.
I'm
>>> thinking something was left out of the instructions on <http://snort.org
>
>>> snort.org. I double checked my configuration several times.
>>>
>>>
>>> On Jul 8, 2011, at 12:11 PM, Michael Lubinski <<
michael.lubinski at ...11827...>
>>> michael.lubinski at ...11827...> wrote:
>>>
>>> Is your snort sensor able to see the traffic? (span port, connected via
a
>>> hub?)
>>> Are the rules uncommented in snort.conf?
>>>
>>> On Fri, Jul 8, 2011 at 3:05 PM, Damien Hull < <dhull at ...15333...><
dhull at ...15333...>
>>> dhull at ...15333...> wrote:
>>>
>>>> Here's what I have in /usr/local/snort/rules...
>>>>
>>>> total 10356
>>>> -rw-r--r-- 1 1210 1210 18236 Apr 4 17:59 VRT-License.txt
>>>> -rw-r--r-- 1 1210 1210 5463 Jun 7 16:35 attack-responses.rules
>>>> -rw-r--r-- 1 1210 1210 312012 Jun 7 16:35 backdoor.rules
>>>> -rw-r--r-- 1 1210 1210 1862 Jun 7 16:35 bad-traffic.rules
>>>> -rw-r--r-- 1 1210 1210 132557 Jun 7 16:35 blacklist.rules
>>>> -rw-r--r-- 1 1210 1210 49738 Jun 7 16:35 botnet-cnc.rules
>>>> -rw-r--r-- 1 1210 1210 20259 Jun 7 16:35 chat.rules
>>>> -rw-r--r-- 1 1210 1210 8642 Jun 7 16:35 content-replace.rules
>>>> -rw-r--r-- 1 1210 1210 8237 Jun 7 16:35 ddos.rules
>>>> -rw-r--r-- 1 1210 1210 5048660 Jun 7 16:35 deleted.rules
>>>> -rw-r--r-- 1 1210 1210 11722 Jun 7 16:35 dns.rules
>>>> -rw-r--r-- 1 1210 1210 25338 Jun 7 16:35 dos.rules
>>>> -rw-r--r-- 1 1210 1210 1327 May 16 2005 experimental.rules
>>>> -rw-r--r-- 1 1210 1210 147124 Jun 7 16:35 exploit.rules
>>>> -rw-r--r-- 1 1210 1210 4579 Jun 7 16:35 finger.rules
>>>> -rw-r--r-- 1 1210 1210 33901 Jun 7 16:35 ftp.rules
>>>> -rw-r--r-- 1 1210 1210 17265 Jun 7 16:35 icmp-info.rules
>>>> -rw-r--r-- 1 1210 1210 3756 Jun 7 16:35 icmp.rules
>>>> -rw-r--r-- 1 1210 1210 31824 Jun 7 16:35 imap.rules
>>>> -rw-r--r-- 1 1210 1210 1041 Jun 7 16:35 info.rules
>>>> -rw-r--r-- 1 1210 1210 199 Jun 7 16:35 local.rules
>>>> -rw-r--r-- 1 1210 1210 24059 Jun 7 16:35 misc.rules
>>>> -rw-r--r-- 1 1210 1210 7166 Jun 7 16:35 multimedia.rules
>>>> -rw-r--r-- 1 1210 1210 13845 Jun 7 16:35 mysql.rules
>>>> -rw-r--r-- 1 1210 1210 217140 Jun 7 16:35 netbios.rules
>>>> -rw-r--r-- 1 1210 1210 5804 Jun 7 16:35 nntp.rules
>>>> -rw-r--r-- 1 1210 1210 1246 Jun 7 16:35 open-test.conf
>>>> -rw-r--r-- 1 1210 1210 208849 Jun 7 16:35 oracle.rules
>>>> -rw-r--r-- 1 1210 1210 1490 Jun 7 16:35 other-ids.rules
>>>> -rw-r--r-- 1 1210 1210 6432 Jun 7 16:35 p2p.rules
>>>> -rw-r--r-- 1 1210 1210 56702 Jun 7 16:35 phishing-spam.rules
>>>> -rw-r--r-- 1 1210 1210 47381 Jun 7 16:35 policy.rules
>>>> -rw-r--r-- 1 1210 1210 1046 Jun 7 16:35 pop2.rules
>>>> -rw-r--r-- 1 1210 1210 15701 Jun 7 16:35 pop3.rules
>>>> -rw-r--r-- 1 1210 1210 91675 Jun 7 16:35 rpc.rules
>>>> -rw-r--r-- 1 1210 1210 3984 Jun 7 16:35 rservices.rules
>>>> -rw-r--r-- 1 1210 1210 42175 Jun 7 16:35 scada.rules
>>>> -rw-r--r-- 1 1210 1210 5307 Jun 7 16:35 scan.rules
>>>> -rw-r--r-- 1 1210 1210 13707 Jun 7 16:35 shellcode.rules
>>>> -rw-r--r-- 1 1210 1210 91705 Jun 7 16:35 smtp.rules
>>>> -rw-r--r-- 1 1210 1210 7250 Jun 7 16:35 snmp.rules
>>>> -rw-r--r-- 1 1210 1210 335177 Jun 7 16:35 specific-threats.rules
>>>> -rw-r--r-- 1 1210 1210 546411 Jun 7 16:35 spyware-put.rules
>>>> -rw-r--r-- 1 1210 1210 46695 Jun 7 16:35 sql.rules
>>>> -rw-r--r-- 1 1210 1210 7904 Jun 7 16:35 telnet.rules
>>>> -rw-r--r-- 1 1210 1210 6410 Jun 7 16:35 tftp.rules
>>>> -rw-r--r-- 1 1210 1210 1574 Jun 7 16:35 virus.rules
>>>> -rw-r--r-- 1 1210 1210 26552 Jun 7 16:35 voip.rules
>>>> -rw-r--r-- 1 1210 1210 1943280 Jun 7 16:35 web-activex.rules
>>>> -rw-r--r-- 1 1210 1210 1470 Jun 7 16:35 web-attacks.rules
>>>> -rw-r--r-- 1 1210 1210 119084 Jun 7 16:35 web-cgi.rules
>>>> -rw-r--r-- 1 1210 1210 264702 Jun 7 16:35 web-client.rules
>>>> -rw-r--r-- 1 1210 1210 14403 Jun 7 16:35 web-coldfusion.rules
>>>> -rw-r--r-- 1 1210 1210 12895 Jun 7 16:35 web-frontpage.rules
>>>> -rw-r--r-- 1 1210 1210 53052 Jun 7 16:35 web-iis.rules
>>>> -rw-r--r-- 1 1210 1210 221135 Jun 7 16:35 web-misc.rules
>>>> -rw-r--r-- 1 1210 1210 51100 Jun 7 16:35 web-php.rules
>>>> -rw-r--r-- 1 1210 1210 1891 Jun 7 16:35 x11.rules
>>>>
>>>> On Jul 8, 2011, at 11:18 AM, Michael Lubinski <<
michael.lubinski at ...11827...><michael.lubinski at ...11827...>
>>>> michael.lubinski at ...11827...> wrote:
>>>>
>>>> What is in the rules directory?
>>>>
>>>> On Fri, Jul 8, 2011 at 2:09 PM, Damien Hull < <dhull at ...15333...><
dhull at ...15333...><dhull at ...15333...>
>>>> dhull at ...15333...> wrote:
>>>>
>>>>> I compiled snort for Ubuntu 10.04 following the instructions on the
>>>>> snort website. I installed the snort rules. Snort and barnyard2 start.
>>>>> There are snort files in /var/log/snort. However, there's nothing in
>>>>> the log files. The database doesn't contain any info.
>>>>>
>>>>> I did a port scan of the system. I'm assuming snort should pick that
>>>>> up. Again, nothing in the log files or in the database. I'm using
>>>>> snort report just like the documentation says.
>>>>>
>>>>> Can someone point me in some kind of direction? I must be missing
>>>>> something.
>>>>>
>>>>>
>>>>>
------------------------------------------------------------------------------
>>>>> All of the data generated in your IT infrastructure is seriously
>>>>> valuable.
>>>>> Why? It contains a definitive record of application performance,
>>>>> security
>>>>> threats, fraudulent activity, and more. Splunk takes this data and
makes
>>>>> sense of it. IT sense. And common sense.
>>>>> <http://p.sf.net/sfu/splunk-d2d-c2><http://p.sf.net/sfu/splunk-d2d-c2
><http://p.sf.net/sfu/splunk-d2d-c2>
>>>>> http://p.sf.net/sfu/splunk-d2d-c2
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> <Snort-users at lists.sourceforge.net><Snort-users at lists.sourceforge.net
><Snort-users at lists.sourceforge.net>
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> <https://lists.sourceforge.net/lists/listinfo/snort-users><
https://lists.sourceforge.net/lists/listinfo/snort-users><
https://lists.sourceforge.net/lists/listinfo/snort-users>
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> <http://www.geocrawler.com/redir-sf.php3?list=snort-users><
http://www.geocrawler.com/redir-sf.php3?list=snort-users><
http://www.geocrawler.com/redir-sf.php3?list=snort-users>
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>> Please see <http://www.snort.org/docs> <http://www.snort.org/docs><
http://www.snort.org/docs>
>>>>> http://www.snort.org/docs for documentation
>>>>>
>>>>
>>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110708/751c4bbd/attachment.html>


More information about the Snort-users mailing list