[Snort-users] Snort 2.9.6 doesn't alert using subscribed VRT ruleset but with ETOpen

ped at ...16771... ped at ...16771...
Fri Apr 4 07:42:56 EDT 2014


I have subscribed to Snort VRT and received the latest rule set (snortrules-snapshot-2956.tar.gz), I installed snort from source using (http://www.snort.org/assets/158/snortinstallguide293.pdf) guide for Ubuntu 12.04 LTS.

I found snort does not alert on sample malicious requests i.e. DT to ../../../etc/passwd, curl www.testmyids.com, portscan using VRT ruleset. So then I added ETOpen ruleset and it started to alert on the above requests (curl www.testmyids.com, sample ping in local.rules, DNS attack):

04/03-11:32:47.780946 [**] [1:2100498:8] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} X.X.X.X:80 -> Y.Y.Y.Y:44591
04/03-11:47:28.034106 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} X.X.X.X -> Y.Y.Y.Y
04/03-12:01:12.771472 [**] [1:2016016:6] ET CURRENT_EVENTS DNS Amplification Attack Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} X.X.X.X:39613 -> Y.Y.Y.Y:53

As it is a first time I am using VRT (I used ET before and worked quite well),

[*] is this a normal behavior not to alert on the above events?
[*] if not, is there any configuration I need to set for VRT to work? here is my snort.conf [https://clbin.com/B8Ikl]

Ped
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140404/201371b9/attachment.html>


More information about the Snort-users mailing list