[Snort-users] Logging - A easy way ?

Jeremy Hoel jthoel at ...11827...
Wed Mar 27 11:09:41 EDT 2013


Hahaha!  That's funny. Wow. Well its good you figured out what the problem
was.  As far as tuning goes.. that's the fun part. Understanding the rules
and the variables goes a long way towards removing false positives.  That
and knowing what it is you want to look for.

Good luck!
On Mar 27, 2013 6:01 AM, "Joao Daniel Neves" <joaodanielnevesss at ...125...>
wrote:

> Hi Guys,
>
> I think it is working. The guy who deployed Snort have commented all
> udp/icmp rules.
> I asked "Why did you do that?"  He told me "Attacks only came from TCP
> packages".
> Unfortunally I can not fire him.
>
> I'm not tuning Snort since, there are a lot (false) ICMP alerts.
>
> > From: jthoel at ...11827...
> > Date: Tue, 26 Mar 2013 17:40:15 +0000
> > Subject: Re: [Snort-users] Logging - A easy way ?
> > To: joaodanielnevesss at ...125...
> > CC: snort-users at lists.sourceforge.net
> >
> > Change the icmp to UDP (or add another rule to do that).. do a UDP,
> > then the alert should fire.. then you know snort itself is seeing the
> > udp packets at that box.
> >
> > and if you want to see if it works sniffing the netowkr, then udp scan
> > another box, whos traffic should pass through the span port, and then
> > see if it fires.
> >
> >
> >
> > On Tue, Mar 26, 2013 at 1:37 PM, Joao Daniel Neves
> > <joaodanielnevesss at ...125...> wrote:
> > > Hi Jeremy,
> > >
> > > I would like to thank your help. I have write a very simple rule for
> alert
> > > ICMP.
> > >
> > > alert icmp any any -> any any
> > >
> > > Just it. So it sems that I do not have any rule for alerting UDP and
> ICMP.
> > > What should I do ? Did I need to write my own rules ? Or I can
> find/download
> > > some?
> > >
> > >
> > >
> > >
> > >> From: jthoel at ...11827...
> > >> Date: Mon, 25 Mar 2013 21:54:41 -0600
> > >
> > >> Subject: Re: [Snort-users] Logging - A easy way ?
> > >> To: joaodanielnevesss at ...125...
> > >> CC: snort-users at lists.sourceforge.net
> > >
> > >>
> > >> You can make sure it will if you make a local rule looking for udp
> > >> traffic of type any from your scanning host.
> > >>
> > >> On Mon, Mar 25, 2013 at 2:24 PM, Joao Daniel Neves
> > >> <joaodanielnevesss at ...125...> wrote:
> > >> > Jeremy Hoel,
> > >> >
> > >> > I have scanned it with nmap (just using UDP)
> > >> >
> > >> > nmap -sV -sU -Pn <host>.
> > >> >
> > >> > I think it should generate an udp alert? Shouldn't it?
> > >> >
> > >> > ________________________________
> > >> > Date: Mon, 25 Mar 2013 19:13:36 +0000
> > >> > Subject: Re: [Snort-users] Logging - A easy way ?
> > >> > From: jthoel at ...11827...
> > >> > To: joaodanielnevesss at ...125...
> > >> > CC: snort-users at lists.sourceforge.net
> > >> >
> > >> >
> > >> > Snort only outputs events that are triggered by rules. While running
> > >> > snort
> > >> > did you send/sniff and UDP traffic that would cause a rule to fire?
> > >> >
> > >> > On Mar 25, 2013 1:00 PM, "Joao Daniel Neves"
> > >> > <joaodanielnevesss at ...125...>
> > >> > wrote:
> > >> >
> > >> > A few days agos I wrote about my BASE that was not displaying any
> UDP
> > >> > alert.
> > >> > It was 100% TCP. Unfortunately I could not resolve it. I'm doing
> some
> > >> > tests.
> > >> > My plan is very simple. I want to know if snort is checking against
> UDP.
> > >> > So
> > >> > I want to elimita BASE from this scenario.
> > >> > Acording with some documents that I found on the web, it seems that
> > >> > /usr/local/bin/snort -d -h IP/32 -l /tmp/test -c
> /etc/snort/snort.conf
> > >> > -s
> > >> > Would write some logging information to /tmp/test.
> > >> >
> > >> > After running the command (in bold). I stop it with 'Ctrl + C'. And
> so
> > >> >
> > >> > ls -l /tmp/test do not display any files!
> > >> >
> > >> > My question is simple: Is this command correct ? Will it write
> > >> > logs/alert to
> > >> > /tmp/test ?
> > >> > What command would do simple write alerts to log?
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >
> ------------------------------------------------------------------------------
> > >> > Everyone hates slow websites. So do we.
> > >> > Make your web apps faster with AppDynamics
> > >> > Download AppDynamics Lite for free today:
> > >> > http://p.sf.net/sfu/appdyn_d2d_mar
> > >> > _______________________________________________
> > >> > Snort-users mailing list
> > >> > Snort-users at lists.sourceforge.net
> > >> > Go to this URL to change user options or unsubscribe:
> > >> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > >> > Snort-users list archive:
> > >> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >> >
> > >> > Please visit http://blog.snort.org to stay current on all the
> latest
> > >> > Snort
> > >> > news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130327/2ec8159f/attachment.html>


More information about the Snort-users mailing list