[Snort-users] [WARNING: UNSCANNABLE EXTRACTION FAILED] Snort not detect attack on mirroring port

Al Lewis (allewi) allewi at cisco.com
Sat Jun 15 10:52:14 EDT 2019


Are you able to capture the traffic (using tcpdump) in the scenario that doesn’t alert?

If so, as a quick test, are you able to replay that captured traffic directly into snort (using -r )? Do you get alerts then?

Are you able to share the pcaps of the working vs non working sessions?

Albert Lewis
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Сергей Беляев via Snort-users <snort-users at lists.snort.org>
Reply-To: Сергей Беляев <bamkrgd at mail.ru>
Date: Saturday, June 15, 2019 at 9:26 AM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: [WARNING: UNSCANNABLE EXTRACTION FAILED][Snort-users] Snort not detect attack on mirroring port

  Excuse me for my bad english.
  I Iinstall snort 2.9.11 on ubuntu 12.04 from sources and connect it to HP ProCurve 2510G mirror port.
  My mirroring scheme in file mirror.pdf and snort host configuration in file snort_host_conf.png
  I tried attack my test windows xp machine from kali by script ms_08_067_netapi.rb, which exploits cve-2008-4250 vulnerability. And snort not detect it.
  Then i tried the same attack from  kali to windows xp via linux in routing mode - scheme snort_on_router.pdf
  And in this scheme snort detect attacks successfully by triggering rule sid 14782 in file os-windows.rules
  My snort config in snort.tar.gz
  May be it is bag that snort not detect attack from mirroring traffic?
  Installing snort 2.9.13 to ubuntu 16.04 - same result.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190615/37cf5487/attachment.html>

More information about the Snort-users mailing list