[Snort-users] questions about snort behavior

Al Lewis (allewi) allewi at ...589...
Wed Apr 15 09:02:13 EDT 2015


1) When you ping localhost that probably resolves to and will hit your loopback. Which probably isn’t your monitoring interface.
2) Your HOME_NET is with a /30 mask. shouldn’t even be reachable since that destination is outside you’re the HOME_NET’s addressable network range.
3) Traffic is coming from/to the HOME_NET.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: May Smith [mailto:may24x at ...131...]
Sent: Wednesday, April 15, 2015 7:46 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] questions about snort behavior

Hi all,

I'm pretty new to snort and have managed to deploy it along with barnyard2 and Snorby on a test VM (CentOS7 64Bit)
Now it's time to configure the components so they'll work together.

starting with snort, I realized some strange behaviors, which I'm unsure are fault or feature ... ;)

My config regarding the Networ-to-monitor is:
# Setup the network addresses you are protecting
ipvar HOME_NET

# Set up the external network addresses. Leave as "any" in most situations

I've another (virtual) machine listening to and - for testing purposes - created the following rules:
alert tcp any any -> any 22 (msg:"ssh access";sid:1000003;)
alert icmp any -> any any (msg:"pings detected";sid:1000002;)

(for testing) my command line to start snort is: snort -A console -i eno16777736 -u snort -g snort -c /etc/snort/snort.conf

1. when I ping 'localhost', host is reachable but snort recognize nothing.
2. when I ping, host is reachable but snort recognize nothing.
3. when I ping google.com host is reachable and snort shows: 04/15-07:34:46.978754  [**] [1:1000002:0] pings detected [**] [Priority: 0] {ICMP} ->

Why ?

Almost the same behavior with ssh. localhost and doesn't show anything.
Loggin to another host ... fist doesn't show anything ... but when the session is closed, I see:
04/15-07:37:20.656375  [**] [1:1000003:0] ssh access [**] [Priority: 0] {TCP} -> xxx.xxx.xxx.xxx:22

I'd expected that snort would alert the moment someone triggers a ssh connection ... and not to wait until the ssh session is closed !

I've enabled unified logging in /etc/snort/snort.conf, but all I see in /var/log snort is:

/var/log/snort > ls -la

drwxr-xr-x   2 snort snort   34 15. Apr 07:28 .
drwxr-xr-x. 23 root  root  4096 15. Apr 06:24 ..
-rw-r--r--   1 snort snort     0 15. Apr 06:24 alert
-rw-------   1 snort snort    0 15. Apr 07:37 snort.log

Why ?

config entries are:
# unified2
# Recommended for most installs
output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

# Additional configuration for specific types of installs
output alert_unified2: filename snort.alert, limit 128, nostamp
output log_unified2: filename snort.log, limit 128, nostamp

can you help me out ?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150415/6e080cdd/attachment.html>

More information about the Snort-users mailing list