Snort mailing list archives
Re: real basic starter rules
From: Phil Wood <cpw () lanl gov>
Date: Thu, 25 Apr 2002 08:49:19 -0600
On Wed, Apr 24, 2002 at 06:53:39PM -0700, Harry Putnam wrote:
I'm having a rough time getting started with snort. Just installed the latest 8.6 from source. Had no problems with build. But now reading the Users Manual and trying to put together just some simple stuff to see what things do what. Maybe some examples I've taken direct from the Manual but edited in various ways will be the quickest way for any prospective poster to see what I'm screwing up. I always seem to have more than my share of trouble learning new apps so I've come to believe its a builtin operator problem on my end so please bear with me as I pose possibly old worn out questions. After running some of the command lines from the first section of manual I decided to push on to the next section about using the snort.conf file. A few of the things I tried after reading some of it seemed not to do what I understood they should: 1) The bidirectional example caught my attention. log !192.168.1.0/24 any <> 192.168.1.0/24 23 Only I couldn't see why the NOT (!) operator was in there.
First, fix the rule. You did not have a protocol specified after the 'log'. Then think of 192.168.1.0 as host A and !192.168.1.0 as NOT A (lets call him B). Then the rule above will log the following: B(any port) to A(telnet[23] port) and A(telnet port) to B(any port) Basically, it will log both traffic to and from the telnet daemon* on A. Unless you are someone like DoubleClick who listens to http on port 23.
The discussion indicates it is supposed to capture both sides of the conversation. Editing a little, I set the numbers to reflect my setup and changed the port number to 21 (ftp) So with cat /usr/local/etc/snort.conf log !192.168.0.0/24 any <> 192.168.0.0/24 21 And having created the following directory: /var/log/snort/tests. ls -ld /var/log/snort/tests drwxr-xr-x 2 root root 4096 Apr 24 17:15 /var/log/snort/tests Using this command line: snort -dev -l /var/log/snort/tests -c /usr/local/etc/snort.conf I get these results: root # snort -dev -l /var/log/snort/tests -c /usr/local/etc/snort.conf Log directory = /var/log/snort/tests Initializing Network Interface eth0 --== Initializing Snort ==-- Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /usr/local/etc/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR /usr/local/etc/snort.conf (1): Bad rule in rules file Fatal Error, Quitting..
Re check snort.conf line 1 or send to me. It is a bad rule, believe the program, re-check. Did you really insert the protocol (tcp).
Fails completely. After trying quite a few edited versions with no better success, I moved on to some other experiments I thought maybe being more specific would let me see what I'm doing wrong: cat /usr/local/etc/snort.conf log tcp any any -> 128.111.24.43 21
This rule will only give you traffic to port 21. You will not get both to and from host 128.111.24.43:21.
command line snort -dev -l /var/log/snort/tests -c /usr/local/etc/snort.conf
I think you are in what Marty calls 3.0 PACKET LOGGER MODE' (Please take another look at the file USAGE) and then move down to 4.0 NETWORK INTRUSION DETECTION MODE
This time I see the traffic when I run and ftp session in another xterm. But also pinging the address shows the traffic to. But it doesn't get logged so I guess I'm supposed to see any traffic but only log the stuff on port 21. And sure enough, I get a log file with a directory named with my local address is: ls ./192.168.0.5/TCP:3336-21 Showing the traffic. But I can't tell if I'm getting both sides. I think not.
You bet.
Now I'm getting closer at least but I really wan't to narrow it down to a single machine on the network trying: log tcp 192.168.0.6 any -> 128.111.24.43 21
Let's just stop the foo. Do this: echo 'log tcp !128.111.24.43 any <> 128.111.24.43 21' > snort.conf rm -rf log mkdir log snort -d -l log -c snort.conf Then run your ftp to 128.111.24.43 and quit. Then break out of the snort process. Then: cd log and cd to the directory that has the address of your client which better not be 128.111.24.43, and look in the file: TCP:xxxxx-21 (where xxxxx is the source port from the ftp client) If you don't see massive quanties of ftp foo going both ways. Now, did you know that ftp (port 21) is only used for commands and not ftp data. So, you won't see any ftpdata in the file, just the tcp handshake, any ftp protocol exchanges, and finally the FIN exchange.
Fire up an ftp session from 192.168.0.6 to 128.111.24.43 I don't see any of this traffic. I do see all kinds of other guff going by but not that ftp session.
You shouldn't see any other guff unless you have more rules besides just the one we have been discussing.
What is my error above. How can I track an ftp session from machine 192.168.0.6 to 128.111.24.43 21 or any other client/server pair?
Try it again.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- real basic starter rules Harry Putnam (Apr 24)
- Re: real basic starter rules Phil Wood (Apr 25)
- Re: real basic starter rules Harry Putnam (Apr 25)
- Re: real basic starter rules Harry Putnam (Apr 26)
- Re: real basic starter rules Rich Adamson (Apr 27)
- Re: real basic starter rules Harry Putnam (Apr 27)
- Re: real basic starter rules Harry Putnam (Apr 25)
- Re: real basic starter rules Phil Wood (Apr 25)