[Snort-users] Snort even though working properly does not report majority of rules
hcol1987 at ...11827...
Mon Feb 16 09:42:32 EST 2015
I have installed Snort 220.127.116.11 and it does not detect majority of attacks,
such as nmap port scans, downloading exe files, opening documents
containing keyword "root".
I use Snort together with Pulled Pork and Barnyard2. Everything seems to
function and I can see alerts on the website that is powered by BASE.
The problem is that I can only trigger 3 different alerts. Everything else
is simply not detected. I want obviously to be able to get alerts when
someone performs port scanning, trying to attempt to perform DDOS attack
and so on. This I cannot trigger. Do I have to enable something
I have made my own local.rules file, which contains a single rule -
monitoring of ICMP echo packets.
Pulled Pork does show that it has downloaded over 20000 rules and over 5000
rules are enabled. This can be seen in snort.rules file, which I included
in snort.conf file.
The 3 alerts I am able to trigger are:
stream5: TCP Small Segment Threshold Exceeded (this is due to my old Win
ssh: Protocol mismatch (this is due to my old Putty client)
ICMP test (my own rule from local.rules)
My snort.conf can be found on the following website (had to move it there,
because i reached max chars list): https://paste.ee/p/RTUgY
My pulledpork.conf can be found on the following website:
My local.rules looks like this (which does work):
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;
What is strange is that last Friday, Snort suddenly started to work and
used Pulled Pork's rules. However, currently, when I am writing this, it
doesn't work anymore. I tried to reinstall Snort, Barnyard2 and everything
else on a completely fresh Linux computer. It didn't help.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users