[Snort-users] Configuring Snort

Joel Esler jesler at ...1935...
Sat Aug 25 07:01:22 EDT 2012


You need to make sure Snort is working and logging correctly before throwing arbitrary packets past it. 

--
Joel Esler
Sent from my iPad 

On Aug 24, 2012, at 11:50 PM, Damien Hull <dhull at ...15333...> wrote:

> I just did a metasploit hail mary attack and snort didn't detect
> anything. I'm assuming I should see something about web attacks.
> 
> What am I missing?
> 
> 
> On Fri, Aug 24, 2012 at 4:47 PM, Damien Hull <dhull at ...15333...> wrote:
>> Marcos,
>> 
>> Thanks for the info. I had the var PREPROC_RULE_PATH set. I went
>> through the config file and found that the following lines were
>> commented out.
>> 
>> # decoder and preprocessor event rules
>> include $PREPROC_RULE_PATH/preprocessor.rules
>> include $PREPROC_RULE_PATH/decoder.rules
>> include $PREPROC_RULE_PATH/sensitive-data.rules
>> 
>> After enabling them snort picked up my port scan.
>> 
>> Other rules are commented out. I need to figure out which ones to
>> enable. I'll save that for later. At least I know some of the rules
>> are working.
>> 
>> On Fri, Aug 24, 2012 at 11:35 AM, Marcos Rodriguez
>> <marcos.e.rodriguez at ...11827...> wrote:
>>> 
>>> 
>>> On Fri, Aug 24, 2012 at 3:04 PM, Damien Hull <dhull at ...15333...> wrote:
>>>> 
>>>> I've snort installed but the rules don't seem to be working. Here's
>>>> what I have.
>>>> 
>>>> snort: 2.9.3.1
>>>> snort rules: 2.9.2.3
>>>> OS: Ubuntu 10.04 LTS
>>>> Other: Barnyard2
>>>> 
>>>> I know snort and barnyard2 are working. I added the following to
>>>> local.rules and it works.
>>>>          alert icmp any any -> any any (msg: "ICMP Packet found";
>>>> sid:1001;)
>>>> 
>>>> I commented out the dynamic detection stuff because that wasn't
>>>> loading. I was told my version of snort rules won't work with snort
>>>> 2.9.3.1
>>>>          # path to dynamic rules libraries
>>>>          # dynamicdetection directory
>>>> /usr/local/snort/lib/snort_dynamicrules
>>>> 
>>>> I have the scanning section configured. I thought that would allow me
>>>> to scan the system and snort would trigger an alert. No such luck.
>>>>         # Portscan detection.  For more information, see
>>>> README.sfportscan
>>>>         preprocessor sfportscan: proto  { all } scan_type { all }
>>>> memcap { 10000000 } s$
>>>> 
>>>> Why does the simple rule in local.rules work but a port scan doesn't
>>>> get detected?
>>>> 
>>> 
>>> Hiya Damien,
>>> 
>>> Sounds like maybe you're not loading your preprocessor.rules file.  The
>>> portscan rules are in that file, under preproc_rules.  Does this line exist
>>> in your current snort.conf:
>>> 
>>> var PREPROC_RULE_PATH ../preproc_rules
>>> 
>>> 
>>> marcos
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list