[Snort-users] Snort not detect attack on mirroring port

Сергей Беляев bamkrgd at mail.ru
Fri Jun 14 05:27:00 EDT 2019


Hellow.
  Excuse me for my bad english.
  I Iinstall snort 2.9.11 on ubuntu 12.04 from sources and connect it to HP ProCurve 2510G mirror port.
  My mirroring scheme in file mirror.pdf and snort host configuration in file snort_host_conf.png
  I tried attack my test windows xp machine from kali by script ms_08_067_netapi.rb, which exploits cve-2008-4250 vulnerability. And snort not detect it.
  Then i tried the same attack from  kali to windows xp via linux in routing mode - scheme snort_on_router.pdf
  And in this scheme snort detect attacks successfully by triggering rule sid 14782 in file os-windows.rules 
  My snort config in snort.tar.gz
  May be it is bag that snort not detect attack from mirroring traffic?
  Installing snort 2.9.13 to ubuntu 16.04 - same result.


Sergey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190614/668c7f06/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mirror.pdf
Type: application/pdf
Size: 17214 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190614/668c7f06/attachment-0002.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.tar.gz
Type: application/x-gzip
Size: 970637 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190614/668c7f06/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort_host_conf.png
Type: image/png
Size: 126148 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190614/668c7f06/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort_on_router.pdf
Type: application/pdf
Size: 13218 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190614/668c7f06/attachment-0003.pdf>


More information about the Snort-users mailing list