[Snort-users] Logging - A easy way ?

Joao Daniel Neves joaodanielnevesss at ...125...
Wed Mar 27 08:01:50 EDT 2013


Hi Guys,

I think it is working. The guy who deployed Snort have commented all udp/icmp rules.
I asked "Why did you do that?"  He told me "Attacks only came from TCP packages".
Unfortunally I can not fire him.  

I'm not tuning Snort since, there are a lot (false) ICMP alerts. 

> From: jthoel at ...11827...
> Date: Tue, 26 Mar 2013 17:40:15 +0000
> Subject: Re: [Snort-users] Logging - A easy way ?
> To: joaodanielnevesss at ...125...
> CC: snort-users at lists.sourceforge.net
> 
> Change the icmp to UDP (or add another rule to do that).. do a UDP,
> then the alert should fire.. then you know snort itself is seeing the
> udp packets at that box.
> 
> and if you want to see if it works sniffing the netowkr, then udp scan
> another box, whos traffic should pass through the span port, and then
> see if it fires.
> 
> 
> 
> On Tue, Mar 26, 2013 at 1:37 PM, Joao Daniel Neves
> <joaodanielnevesss at ...125...> wrote:
> > Hi Jeremy,
> >
> > I would like to thank your help. I have write a very simple rule for alert
> > ICMP.
> >
> >     alert icmp any any -> any any
> >
> > Just it. So it sems that I do not have any rule for alerting UDP and ICMP.
> > What should I do ? Did I need to write my own rules ? Or I can find/download
> > some?
> >
> >
> >
> >
> >> From: jthoel at ...11827...
> >> Date: Mon, 25 Mar 2013 21:54:41 -0600
> >
> >> Subject: Re: [Snort-users] Logging - A easy way ?
> >> To: joaodanielnevesss at ...125...
> >> CC: snort-users at lists.sourceforge.net
> >
> >>
> >> You can make sure it will if you make a local rule looking for udp
> >> traffic of type any from your scanning host.
> >>
> >> On Mon, Mar 25, 2013 at 2:24 PM, Joao Daniel Neves
> >> <joaodanielnevesss at ...125...> wrote:
> >> > Jeremy Hoel,
> >> >
> >> > I have scanned it with nmap (just using UDP)
> >> >
> >> > nmap -sV -sU -Pn <host>.
> >> >
> >> > I think it should generate an udp alert? Shouldn't it?
> >> >
> >> > ________________________________
> >> > Date: Mon, 25 Mar 2013 19:13:36 +0000
> >> > Subject: Re: [Snort-users] Logging - A easy way ?
> >> > From: jthoel at ...11827...
> >> > To: joaodanielnevesss at ...125...
> >> > CC: snort-users at lists.sourceforge.net
> >> >
> >> >
> >> > Snort only outputs events that are triggered by rules. While running
> >> > snort
> >> > did you send/sniff and UDP traffic that would cause a rule to fire?
> >> >
> >> > On Mar 25, 2013 1:00 PM, "Joao Daniel Neves"
> >> > <joaodanielnevesss at ...125...>
> >> > wrote:
> >> >
> >> > A few days agos I wrote about my BASE that was not displaying any UDP
> >> > alert.
> >> > It was 100% TCP. Unfortunately I could not resolve it. I'm doing some
> >> > tests.
> >> > My plan is very simple. I want to know if snort is checking against UDP.
> >> > So
> >> > I want to elimita BASE from this scenario.
> >> > Acording with some documents that I found on the web, it seems that
> >> > /usr/local/bin/snort -d -h IP/32 -l /tmp/test -c /etc/snort/snort.conf
> >> > -s
> >> > Would write some logging information to /tmp/test.
> >> >
> >> > After running the command (in bold). I stop it with 'Ctrl + C'. And so
> >> >
> >> > ls -l /tmp/test do not display any files!
> >> >
> >> > My question is simple: Is this command correct ? Will it write
> >> > logs/alert to
> >> > /tmp/test ?
> >> > What command would do simple write alerts to log?
> >> >
> >> >
> >> >
> >> >
> >> > ------------------------------------------------------------------------------
> >> > Everyone hates slow websites. So do we.
> >> > Make your web apps faster with AppDynamics
> >> > Download AppDynamics Lite for free today:
> >> > http://p.sf.net/sfu/appdyn_d2d_mar
> >> > _______________________________________________
> >> > Snort-users mailing list
> >> > Snort-users at lists.sourceforge.net
> >> > Go to this URL to change user options or unsubscribe:
> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >> > Snort-users list archive:
> >> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >> >
> >> > Please visit http://blog.snort.org to stay current on all the latest
> >> > Snort
> >> > news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130327/e31bc837/attachment.html>


More information about the Snort-users mailing list