[Snort-users] Issue: Output on console not displayed on Snort computer

Benjamin Sanchez Murillo eljami at gmail.com
Fri Aug 31 20:04:28 EDT 2018


Hello,

I am trying to configure Snort on Ubuntu by following the Snort Set Guide
Snort_2.9.9.x_on_Ubuntu_14-16.pdf by Noah Dietrich. I am stock on section
12 Writing a Simple Rule to Test Snort Detection, page 11.  Please let me
know if you can help me solve my issue below. Thank you!

-----------------------------------------------
1) Issue:
Output on console not displayed on Snort computer (Ubuntu: 192.168.1.X)
when I ping it from another computer (Kali: 192.168.1.Y)

2) Steps to recreate:
@ubuntu:~$ sudo /usr/local/bin/snort -A console -q -u snort -g snort -c
/etc/snort/snort.conf -i ens33
(blinking cursor)


@kali:~# ping 192.168.1.X
64 bytes from 192.168.1.X: icmp_seq=1 ttl=64 time=1.06 ms
64 bytes from 192.168.1.X: icmp_seq=2 ttl=64 time=0.885 ms
64 bytes from 192.168.1.X: icmp_seq=3 ttl=64 time=0.391 ms
(...)
--- 192.168.1.X ping statistics ---
21 packets transmitted, 21 received, 0% packet loss, time 454ms
rtt min/avg/max/mdev = 0.251/0.624/1.565/0.259 ms

3) Results:
Ubuntu machine's cursor continues to blink, however, I don't see expected
"ICMP test detected" message in the console.


4) Background:

Ubuntu and Kali installed on VMware both configured as Bridged (Autodetect)
I can ping Kali from Ubuntu & Ubuntu from Kali both with 0% packet loss

@ubuntu:~$ uname -a
Linux ubuntu 4.15.0-33-generic #36~16.04.1-Ubuntu SMP Wed Aug 15 17:21:05
UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

@ubuntu:~$ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.11.1 GRE (Build 268)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/contact#team
           Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights
reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.7.4
           Using PCRE version: 8.38 2015-11-23
           Using ZLIB version: 1.2.8

@ubuntu:~$ ifconfig | grep "inet add"
          inet addr:192.168.1.X  Bcast:192.168.1.255  Mask:255.255.255.0
          inet addr:127.0.0.1  Mask:255.0.0.0

5) The snort.conf file

@ubuntu:~$ sudo vi /etc/snort/snort.conf
(...)
44 # Setup the network addresses you are protecting
45 ipvar HOME_NET 192.168.0.0/24
(...)
545 # site specific rules
546 include $RULE_PATH/local.rules
(...)

6) The local.rules file
@ubuntu:~$ sudo vi /etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1;
sid:10000001; rev:001; classtype:icmp-event;)

7) The sid-msg.map file
@ubuntu:~$ sudo vi /etc/snort/sid-msg.map

#v2
1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,
tools.ietf.org/html/rfc792

8) Testing snort.conf to see if the rule has been loaded
@ubuntu:~$ sudo snort -T -i ens33 -c /etc/snort/snort.conf

(...)

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1 Snort rules read
    1 detection rules
    0 decoder rules
    0 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port
Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src       0       0       0       0
|     dst       0       0       0       0
|     any       0       0       1       0
|      nc       0       0       1       0
|     s+d       0       0       0       0
+----------------------------------------------------------------------------

Snort successfully validated the configuration!
Snort exiting
(...)

@ubuntu:/var/log/snort$ ls -a
.  ..  archived_logs

@ubuntu:/var/log/snort/archived_logs$ ls -a
.  ..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180901/5f17c5b3/attachment.html>


More information about the Snort-users mailing list