[Snort-users] [WARNING: UNSCANNABLE EXTRACTION FAILED] Snort not detect attack on mirroring port
Al Lewis (allewi)
allewi at cisco.com
Sat Jun 15 10:52:14 EDT 2019
Are you able to capture the traffic (using tcpdump) in the scenario that doesn’t alert?
If so, as a quick test, are you able to replay that captured traffic directly into snort (using -r )? Do you get alerts then?
Are you able to share the pcaps of the working vs non working sessions?
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>
From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Сергей Беляев via Snort-users <snort-users at lists.snort.org>
Reply-To: Сергей Беляев <bamkrgd at mail.ru>
Date: Saturday, June 15, 2019 at 9:26 AM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: [WARNING: UNSCANNABLE EXTRACTION FAILED][Snort-users] Snort not detect attack on mirroring port
Excuse me for my bad english.
I Iinstall snort 2.9.11 on ubuntu 12.04 from sources and connect it to HP ProCurve 2510G mirror port.
My mirroring scheme in file mirror.pdf and snort host configuration in file snort_host_conf.png
I tried attack my test windows xp machine from kali by script ms_08_067_netapi.rb, which exploits cve-2008-4250 vulnerability. And snort not detect it.
Then i tried the same attack from kali to windows xp via linux in routing mode - scheme snort_on_router.pdf
And in this scheme snort detect attacks successfully by triggering rule sid 14782 in file os-windows.rules
My snort config in snort.tar.gz
May be it is bag that snort not detect attack from mirroring traffic?
Installing snort 2.9.13 to ubuntu 16.04 - same result.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users