[Snort-users] questions about snort behavior

Tomas Hajek hajek at ...6518...
Wed Apr 15 08:56:23 EDT 2015


Although I am new to snort as well I might be able to answer a part of
this.  If you are capturing on en0 and you ping localhost those are not the
same interfaces so snort is not going to see this.  localhost is lo and
most if not all traffic to localhost ( or 127.0.0.1 ) never hits the
network.


On Wed, Apr 15, 2015 at 7:46 AM, May Smith <may24x at ...131...> wrote:

> Hi all,
>
> I'm pretty new to snort and have managed to deploy it along with barnyard2
> and Snorby on a test VM (CentOS7 64Bit)
> Now it's time to configure the components so they'll work together.
>
> starting with snort, I realized some strange behaviors, which I'm unsure
> are fault or feature ... ;)
>
> My config regarding the Networ-to-monitor is:
> # Setup the network addresses you are protecting
> ipvar HOME_NET 192.168.187.130/30
>
> # Set up the external network addresses. Leave as "any" in most situations
> ipvar EXTERNAL_NET !$HOME_NET
>
> I've another (virtual) machine listening to 192.168.178.135 and - for
> testing purposes - created the following rules:
> alert tcp any any -> any 22 (msg:"ssh access";sid:1000003;)
> alert icmp 192.168.187.130 any -> any any (msg:"pings
> detected";sid:1000002;)
>
> (for testing) my command line to start snort is: snort -A console -i
> eno16777736 -u snort -g snort -c /etc/snort/snort.conf
>
> 1. when I ping 'localhost', host is reachable but snort recognize nothing.
> 2. when I ping 192.168.187.135, host is reachable but snort recognize
> nothing.
> 3. when I ping google.com host is reachable and snort shows:
> 04/15-07:34:46.978754  [**] [1:1000002:0] pings detected [**] [Priority: 0]
> {ICMP} 192.168.187.130 -> 98.138.253.109
>
> Why ?
>
> Almost the same behavior with ssh. localhost and 192.168.187.135 doesn't
> show anything.
> Loggin to another host ... fist doesn't show anything ... but when the
> session is closed, I see:
> 04/15-07:37:20.656375  [**] [1:1000003:0] ssh access [**] [Priority: 0]
> {TCP} 192.168.187.130:33760 -> xxx.xxx.xxx.xxx:22
>
> I'd expected that snort would alert the moment someone triggers a ssh
> connection ... and not to wait until the ssh session is closed !
>
> I've enabled unified logging in /etc/snort/snort.conf, but all I see in
> /var/log snort is:
>
> /var/log/snort > ls -la
>
> drwxr-xr-x   2 snort snort   34 15. Apr 07:28 .
> drwxr-xr-x. 23 root  root  4096 15. Apr 06:24 ..
> -rw-r--r--   1 snort snort     0 15. Apr 06:24 alert
> -rw-------   1 snort snort    0 15. Apr 07:37 snort.log
>
> Why ?
>
> config entries are:
> # unified2
> # Recommended for most installs
> output unified2: filename merged.log, limit 128, nostamp,
> mpls_event_types, vlan_event_types
>
> # Additional configuration for specific types of installs
> output alert_unified2: filename snort.alert, limit 128, nostamp
> output log_unified2: filename snort.log, limit 128, nostamp
>
> can you help me out ?
>
> regards
> May
>
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 

                Tomas Hajek
                hajek at ...6518...
                1-248-370-3505
                Senior Linux Systems Engineer
                University Technology Services
                Oakland University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150415/054024d2/attachment.html>


More information about the Snort-users mailing list