[Snort-users] Logging - A easy way ?

Jeremy Hoel jthoel at ...11827...
Tue Mar 26 13:40:15 EDT 2013


Change the icmp to UDP (or add another rule to do that).. do a UDP,
then the alert should fire.. then you know snort itself is seeing the
udp packets at that box.

and if you want to see if it works sniffing the netowkr, then udp scan
another box, whos traffic should pass through the span port, and then
see if it fires.



On Tue, Mar 26, 2013 at 1:37 PM, Joao Daniel Neves
<joaodanielnevesss at ...125...> wrote:
> Hi Jeremy,
>
> I would like to thank your help. I have write a very simple rule for alert
> ICMP.
>
>     alert icmp any any -> any any
>
> Just it. So it sems that I do not have any rule for alerting UDP and ICMP.
> What should I do ? Did I need to write my own rules ? Or I can find/download
> some?
>
>
>
>
>> From: jthoel at ...11827...
>> Date: Mon, 25 Mar 2013 21:54:41 -0600
>
>> Subject: Re: [Snort-users] Logging - A easy way ?
>> To: joaodanielnevesss at ...125...
>> CC: snort-users at lists.sourceforge.net
>
>>
>> You can make sure it will if you make a local rule looking for udp
>> traffic of type any from your scanning host.
>>
>> On Mon, Mar 25, 2013 at 2:24 PM, Joao Daniel Neves
>> <joaodanielnevesss at ...125...> wrote:
>> > Jeremy Hoel,
>> >
>> > I have scanned it with nmap (just using UDP)
>> >
>> > nmap -sV -sU -Pn <host>.
>> >
>> > I think it should generate an udp alert? Shouldn't it?
>> >
>> > ________________________________
>> > Date: Mon, 25 Mar 2013 19:13:36 +0000
>> > Subject: Re: [Snort-users] Logging - A easy way ?
>> > From: jthoel at ...11827...
>> > To: joaodanielnevesss at ...125...
>> > CC: snort-users at lists.sourceforge.net
>> >
>> >
>> > Snort only outputs events that are triggered by rules. While running
>> > snort
>> > did you send/sniff and UDP traffic that would cause a rule to fire?
>> >
>> > On Mar 25, 2013 1:00 PM, "Joao Daniel Neves"
>> > <joaodanielnevesss at ...125...>
>> > wrote:
>> >
>> > A few days agos I wrote about my BASE that was not displaying any UDP
>> > alert.
>> > It was 100% TCP. Unfortunately I could not resolve it. I'm doing some
>> > tests.
>> > My plan is very simple. I want to know if snort is checking against UDP.
>> > So
>> > I want to elimita BASE from this scenario.
>> > Acording with some documents that I found on the web, it seems that
>> > /usr/local/bin/snort -d -h IP/32 -l /tmp/test -c /etc/snort/snort.conf
>> > -s
>> > Would write some logging information to /tmp/test.
>> >
>> > After running the command (in bold). I stop it with 'Ctrl + C'. And so
>> >
>> > ls -l /tmp/test do not display any files!
>> >
>> > My question is simple: Is this command correct ? Will it write
>> > logs/alert to
>> > /tmp/test ?
>> > What command would do simple write alerts to log?
>> >
>> >
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Everyone hates slow websites. So do we.
>> > Make your web apps faster with AppDynamics
>> > Download AppDynamics Lite for free today:
>> > http://p.sf.net/sfu/appdyn_d2d_mar
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> > Snort
>> > news!




More information about the Snort-users mailing list