snort-users May 2008 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Snort only alert about traffic wi

Re: [Snort-users] Snort only alert about traffic with an specific IP

From: Berta Alcala <berta83_at_nospam>
Date: Fri May 30 2008 - 10:52:22 GMT
To: rmkml <rmkml@free.fr>


Hi Rmkml,

I've received some emails from you. In one of them you say that I can try with "-k none" option to disable checksum. I have installed snort as a windows service with this command:

snort /SERVICE /INSTALL -dev -c c:\snort\etc\snort.conf -l c:\snort\log -i2 -k none

But everything is the same.

In other email you say that I have enabled stream5 in snort.conf, it's true, but I don't know if it is compiled in the snort binary (and I don't know I can do it).

I sent you and email with the output you asked me (salida.log). I haven't received anything else.

Thanks

2008/5/30 rmkml <rmkml@free.fr>:

> Hi Berta,
> Im answered your questions, do you have received my email ?
> Regards
> Rmkml
>
> On Fri, 30 May 2008, Berta Alcala wrote:
>
> Date: Fri, 30 May 2008 10:12:39 +0200
>> From: Berta Alcala <berta83@gmail.com>
>> To: Jason Brvenik <jasonb@sourcefire.com>
>> Cc: snort <snort-users@lists.sourceforge.net>,
>> Paul Schmehl <pschmehl_lists_nada@tx.rr.com>
>> Subject: Re: [Snort-users] Snort only alert about traffic with an specific
>> IP
>>
>> Thank you very much for your help.
>> I can not access to the switch I'm connected to, so I don't know how it is
>> configurated. I will try to get access to the switch.
>> I'm doing a degree essay at the University and the most important thing
>> for me is to know why something doesn't work, if the problem is the switch
>> that is
>> enought for me. But what I really need to know is why some rules work and
>> why others don't.
>>
>> If you use this rule, does it work for you? why not for me??
>>
>> alert tcp $HOME_NET any -> any 1863 (msg:"CHAT MSN logout"; flags:PA+;
>> content:"OUT"; classtype:policy-violation; sid:1000009; rev:1;)
>>
>> I have no problem with a rule to alert about MSN login, that is similar
>> but with content LoginTime" instead of "OUT"
>>
>> Or this other one form info.rules ("INFO FTP no password", with sid:489,
>> works for me):
>>
>> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login";
>> flow:from_server,established; content:"530 ";
>> pcre:"/^530\s+(Login|User)/smi";
>> classtype:bad-unknown; sid:491; rev:8;)
>>
>> There are many rules that don't work. I suppose the problem has to be in
>> snort.conf file.
>>
>>
>>
>>
>> 2008/5/29 Jason Brvenik <jasonb@sourcefire.com>:
>> Are you monitoring a span or mirror port?
>>
>>
>> Berta Alcala wrote:
>> Hi,
>>
>> I tried with this rule (only this rule, the rest were commented
>> in snort.conf):
>>
>> alert tcp any any -> any any (msg:"TCP traffic";sid:1000011;
>> rev:1;)
>>
>> The only alerts registered are those which have my IP (source
>> or destination). Using Ethereal I only see traffic with my IP as source,
>> or destination, or broadcast traffic. I can not see a ping
>> command between two others PCs with Ethereal, neither with Snort (I attach a
>> pcap file)
>>
>> I have this information in snort.conf:
>>
>> var HOME_NET 172.18.64.0/19 <http://172.18.64.0/19>
>> var EXTERNAL_NET any
>> var DNS_SERVERS $HOME_NET
>> var SMTP_SERVERS $HOME_NET
>> var HTTP_SERVERS $HOME_NET
>> var SQL_SERVERS $HOME_NET
>> var TELNET_SERVERS $HOME_NET
>> var SNMP_SERVERS $HOME_NET
>>
>> Snort is installed as a Windows service with this command line:
>> snort /SERVICE /INSTALL -dev -c c:\Snort\etc\snort.conf -l c:\Snort\log
>> -i2
>>
>> I use Windows XP+Snort 2.7+Base
>>
>> Jason, How can I disable checksum?
>>
>> 2008/5/27 Paul Schmehl <pschmehl_lists@tx.rr.com <mailto:
>> pschmehl_lists@tx.rr.com>>:
>>
>>
>>
>>
>>
>> Thousands of security professionals worldwide are using snort
>> successfully. So, you can start with the safe assumption that the
>> problem isn't snort.
>>
>> Whether or not snort alerts on traffic is entirely dependent upon
>> two things:
>> 1) Traffic is passing the interface that snort is listening on
>> 2) You have snort properly configured to see that traffic.
>>
>> If you've convinced yourself, using Ethereal, that traffic *is*
>> being seen on that interface, then that narrows the problem down to
>> your configuration of snort.
>>
>> What have you defined $HOME_NET as?
>> What have you defined $EXTERNAL_NET as?
>> What rules have you enabled in snort.conf?
>> What's your startup options for snort (what interface, where do you
>> log, etc.)?
>>
>> To quickly see if snort is working at all, write a rule that looks
>> for everything:
>>
>> alert ip any any -> any any (msg:"Testing for detection capability";
>> sid:1000001; rev:1;)
>>
>> Don't even bother editing sid-msg.map. All you care about is seeing
>> that alerts are being generated. Depending upon your traffic, this
>> could generate a ton of alerts in short order, so be prepared to
>> shut down snort before you get overwhelmed.
>>
>> What are you using to view the alerts?
>>
>> -- Paul Schmehl
>> As if it wasn't already obvious,
>> my opinions are my own and not
>> those of my employer.
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>>



This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/



Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users