[Snort-users] snort nmap not working

Mustafa Karci mk at ...16595...
Tue Nov 26 06:10:50 EST 2013


hi all,

i have some problems with snort. The case is : I set up a
snort-2.9.5.5-1.x86_64 + barnyard2 + base on a CentOS 6 64 bit.

This is working correctly, when i add a test rule like below, this is
working oke. I can see the that the snort is writing to the
snort-unified2.log and banryard is taking this and write this to the mysql
database.

alert icmp any any -> any any (msg:"ICMP test"; sid:200001; rev:100001;)


I also configurated the fsportscan in the snort.conf
# Portscan detection.  For more information, see README.sfportscan
preprocessor sfportscan: proto  { all } \
                         scan_type { all } \
                         sense_level { high }
                         #logfile { pscan1.log }

But when i do a nmap -sS xxx.xxxx.xxx.xxx to the snort machine it will not
generated any alerts!!! but when i disable the logfile { pscan1.log } I
will get an out put to the pscan1.log in the
/var.log/snort/pscan1.log...But this only works for the nmap -sS
xxx.xxx.xxx.xxx commando.

So my question is what am i doing wrong. And on other thing i don`t get it
is, is there an dynamic predecessor library for the port-scan??
This couldn't b it because it will not generate a portscan alert in the
pscan1.log...




here are the results of the config:

*snort.conf:*

# Setup the network addresses you are protecting
ipvar HOME_NET xxx.xxx.xxx.xxx/22
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET

# Portscan detection.  For more information, see README.sfportscan
preprocessor sfportscan: proto  { all } \
                         scan_type { all } \
                         sense_level { high }
                         #logfile { pscan1.log }

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/rules/so_rules
var PREPROC_RULE_PATH ../preproc_rules

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/lib64/snort-2.9.5.5_dynamicpreprocessor/

# path to base preprocessor engine
dynamicengine /usr/lib64/snort-2.9.5.5_dynamicengine/libsf_engine.so

# path to dynamic rules libraries
#dynamicdetection directory /usr/local/lib/snort_dynamicrules

# Inline packet normalization. For more information, see README.normalize
# Does nothing in IDS mode
preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6


 # unified2
# Recommended for most installs
output unified2: filename snort-unified2.log, limit 128

# syslog
# output alert_syslog: LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

# metadata reference data.  do not modify these lines
include classification.config
include reference.config

include $RULE_PATH/test.rules
include $RULE_PATH/local.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/server-mssql.rules
include $RULE_PATH/server-mysql.rule

# decoder and preprocessor event rules
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules

include threshold.conf

*/etc/sysconfig/snort*
INTERFACE=eth1
CONF=/etc/snort/snort.confCONF=/etc/snort/snort.conf
# ALERTMODE=fastq
# BINARY_LOG=1

barnyard2.conf:
config interface:  eth1
input unified2
output database: alert, mysql, user=snort password=snort dbname=snort
host=localhost


*start snort + barnyard*
/etc/init.d/snortd start
barnyard2 -c /etc/barnyard2/barnyard2.conf -d /var/log/snort -f
snort-unified2.log -w /etc/barnyard2/barnyard2.waldo -D

*output /var/log/message*
Detection:
Nov 26 11:16:30 NFS1-1 snort[11083]:    Search-Method = AC-Full-Q
Nov 26 11:16:30 NFS1-1 snort[11083]:     Split Any/Any group = enabled
Nov 26 11:16:30 NFS1-1 snort[11083]:     Search-Method-Optimizations =
enabled
Nov 26 11:16:30 NFS1-1 snort[11083]:     Maximum pattern length = 20
Nov 26 11:16:30 NFS1-1 snort[11083]: Tagged Packet Limit: 256
Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic engine
/usr/lib64/snort-2.9.5.5_dynamicengine/libsf_engine.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]: Loading all dynamic preprocessor libs
from /usr/lib64/snort-2.9.5.5_dynamicpreprocessor/...
Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor library
/usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_gtp_preproc.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor library
/usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor library
/usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_sdf_preproc.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor library
/usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_smtp_preproc.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor library
/usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_dce2_preproc.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor library
/usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_dns_preproc.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor library
/usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_ssh_preproc.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor library
/usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_reputation_preproc.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor library
/usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_pop_preproc.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor library
/usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_dnp3_preproc.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor library
/usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_sip_preproc.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor library
/usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_imap_preproc.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor library
/usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_modbus_preproc.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor library
/usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_ssl_preproc.so...
Nov 26 11:16:30 NFS1-1 snort[11083]: done
Nov 26 11:16:30 NFS1-1 snort[11083]:   Finished Loading all dynamic
preprocessor libs from /usr/lib64/snort-2.9.5.5_dynamicpreprocessor/
Nov 26 11:16:30 NFS1-1 snort[11083]: Log directory = /var/log/snort
Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: ip4 normalizations disabled
because not inline.
Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: tcp normalizations disabled
because not inline.
Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: icmp4 normalizations disabled
because not inline.
Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: ip6 normalizations disabled
because not inline.
Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: icmp6 normalizations disabled
because not inline.

Nov 26 11:16:30 NFS1-1 snort[11084]: Daemon initialized, signaled parent
pid: 11083
Nov 26 11:16:30 NFS1-1 snort[11084]: Reload thread starting...
Nov 26 11:16:30 NFS1-1 snort[11084]: Reload thread started, thread
0x7fb89afd5700 (11086)
Nov 26 11:16:30 NFS1-1 snort[11084]: Decoding Ethernet
Nov 26 11:16:30 NFS1-1 snort[11084]: Checking PID path...
Nov 26 11:16:30 NFS1-1 snort[11084]: PID path stat checked out ok, PID path
set to /var/run/
Nov 26 11:16:30 NFS1-1 snort[11084]: Writing PID "11084" to file
"/var/run//snort_eth1.pid"
Nov 26 11:16:30 NFS1-1 snort[11084]: Set gid to 500
Nov 26 11:16:30 NFS1-1 snort[11084]: Set uid to 500
Nov 26 11:16:30 NFS1-1 snort[11084]:
Nov 26 11:16:30 NFS1-1 snort[11084]:         --== Initialization Complete
==--
Nov 26 11:16:30 NFS1-1 snort[11084]: Commencing packet processing
(pid=11084)
Nov 26 11:16:31 NFS1-1 barnyard2[7020]: Closing spool file
'/var/log/snort/snort-unified2.log.1385467902'. Read 0 records
Nov 26 11:16:31 NFS1-1 barnyard2[7020]: Opened spool file
'/var/log/snort/snort-unified2.log.1385468190'
Nov 26 11:16:31 NFS1-1 barnyard2[7020]: Waiting for new data




kind regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131126/e74be1d8/attachment.html>


More information about the Snort-users mailing list