[Snort-users] [WARNING: UNSCANNABLE EXTRACTION FAILED] Snort not detect attack on mirroring port
dorianbrice at hotmail.fr
Sun Jun 16 08:48:48 EDT 2019
For tcpdump and pcap between Itself in snort follow It two links :
I hope It will be helpful,
Provenance : Courrier<https://go.microsoft.com/fwlink/?LinkId=550986> pour Windows 10
De : Snort-users <snort-users-bounces at lists.snort.org> de la part de Al Lewis (allewi) via Snort-users <snort-users at lists.snort.org>
Envoyé : Saturday, June 15, 2019 4:52:14 PM
À : Сергей Беляев; snort-users at lists.snort.org
Objet : Re: [Snort-users] [WARNING: UNSCANNABLE EXTRACTION FAILED] Snort not detect attack on mirroring port
Are you able to capture the traffic (using tcpdump) in the scenario that doesn’t alert?
If so, as a quick test, are you able to replay that captured traffic directly into snort (using -r )? Do you get alerts then?
Are you able to share the pcaps of the working vs non working sessions?
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>
From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Сергей Беляев via Snort-users <snort-users at lists.snort.org>
Reply-To: Сергей Беляев <bamkrgd at mail.ru>
Date: Saturday, June 15, 2019 at 9:26 AM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: [WARNING: UNSCANNABLE EXTRACTION FAILED][Snort-users] Snort not detect attack on mirroring port
Excuse me for my bad english.
I Iinstall snort 2.9.11 on ubuntu 12.04 from sources and connect it to HP ProCurve 2510G mirror port.
My mirroring scheme in file mirror.pdf and snort host configuration in file snort_host_conf.png
I tried attack my test windows xp machine from kali by script ms_08_067_netapi.rb, which exploits cve-2008-4250 vulnerability. And snort not detect it.
Then i tried the same attack from kali to windows xp via linux in routing mode - scheme snort_on_router.pdf
And in this scheme snort detect attacks successfully by triggering rule sid 14782 in file os-windows.rules
My snort config in snort.tar.gz
May be it is bag that snort not detect attack from mirroring traffic?
Installing snort 2.9.13 to ubuntu 16.04 - same result.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users