[Snort-users] Configuring Snort

Damien Hull dhull at ...15333...
Fri Aug 24 23:50:03 EDT 2012


I just did a metasploit hail mary attack and snort didn't detect
anything. I'm assuming I should see something about web attacks.

What am I missing?


On Fri, Aug 24, 2012 at 4:47 PM, Damien Hull <dhull at ...15333...> wrote:
> Marcos,
>
> Thanks for the info. I had the var PREPROC_RULE_PATH set. I went
> through the config file and found that the following lines were
> commented out.
>
> # decoder and preprocessor event rules
> include $PREPROC_RULE_PATH/preprocessor.rules
> include $PREPROC_RULE_PATH/decoder.rules
> include $PREPROC_RULE_PATH/sensitive-data.rules
>
> After enabling them snort picked up my port scan.
>
> Other rules are commented out. I need to figure out which ones to
> enable. I'll save that for later. At least I know some of the rules
> are working.
>
> On Fri, Aug 24, 2012 at 11:35 AM, Marcos Rodriguez
> <marcos.e.rodriguez at ...11827...> wrote:
>>
>>
>> On Fri, Aug 24, 2012 at 3:04 PM, Damien Hull <dhull at ...15333...> wrote:
>>>
>>> I've snort installed but the rules don't seem to be working. Here's
>>> what I have.
>>>
>>> snort: 2.9.3.1
>>> snort rules: 2.9.2.3
>>> OS: Ubuntu 10.04 LTS
>>> Other: Barnyard2
>>>
>>> I know snort and barnyard2 are working. I added the following to
>>> local.rules and it works.
>>>           alert icmp any any -> any any (msg: "ICMP Packet found";
>>> sid:1001;)
>>>
>>> I commented out the dynamic detection stuff because that wasn't
>>> loading. I was told my version of snort rules won't work with snort
>>> 2.9.3.1
>>>           # path to dynamic rules libraries
>>>           # dynamicdetection directory
>>> /usr/local/snort/lib/snort_dynamicrules
>>>
>>> I have the scanning section configured. I thought that would allow me
>>> to scan the system and snort would trigger an alert. No such luck.
>>>          # Portscan detection.  For more information, see
>>> README.sfportscan
>>>          preprocessor sfportscan: proto  { all } scan_type { all }
>>> memcap { 10000000 } s$
>>>
>>> Why does the simple rule in local.rules work but a port scan doesn't
>>> get detected?
>>>
>>
>> Hiya Damien,
>>
>> Sounds like maybe you're not loading your preprocessor.rules file.  The
>> portscan rules are in that file, under preproc_rules.  Does this line exist
>> in your current snort.conf:
>>
>> var PREPROC_RULE_PATH ../preproc_rules
>>
>>
>> marcos




More information about the Snort-users mailing list