[Snort-users] Configuring Snort

Damien Hull dhull at ...15333...
Fri Aug 24 20:47:42 EDT 2012


Marcos,

Thanks for the info. I had the var PREPROC_RULE_PATH set. I went
through the config file and found that the following lines were
commented out.

# decoder and preprocessor event rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

After enabling them snort picked up my port scan.

Other rules are commented out. I need to figure out which ones to
enable. I'll save that for later. At least I know some of the rules
are working.

On Fri, Aug 24, 2012 at 11:35 AM, Marcos Rodriguez
<marcos.e.rodriguez at ...11827...> wrote:
>
>
> On Fri, Aug 24, 2012 at 3:04 PM, Damien Hull <dhull at ...15333...> wrote:
>>
>> I've snort installed but the rules don't seem to be working. Here's
>> what I have.
>>
>> snort: 2.9.3.1
>> snort rules: 2.9.2.3
>> OS: Ubuntu 10.04 LTS
>> Other: Barnyard2
>>
>> I know snort and barnyard2 are working. I added the following to
>> local.rules and it works.
>>           alert icmp any any -> any any (msg: "ICMP Packet found";
>> sid:1001;)
>>
>> I commented out the dynamic detection stuff because that wasn't
>> loading. I was told my version of snort rules won't work with snort
>> 2.9.3.1
>>           # path to dynamic rules libraries
>>           # dynamicdetection directory
>> /usr/local/snort/lib/snort_dynamicrules
>>
>> I have the scanning section configured. I thought that would allow me
>> to scan the system and snort would trigger an alert. No such luck.
>>          # Portscan detection.  For more information, see
>> README.sfportscan
>>          preprocessor sfportscan: proto  { all } scan_type { all }
>> memcap { 10000000 } s$
>>
>> Why does the simple rule in local.rules work but a port scan doesn't
>> get detected?
>>
>
> Hiya Damien,
>
> Sounds like maybe you're not loading your preprocessor.rules file.  The
> portscan rules are in that file, under preproc_rules.  Does this line exist
> in your current snort.conf:
>
> var PREPROC_RULE_PATH ../preproc_rules
>
>
> marcos




More information about the Snort-users mailing list