Snort mailing list archives
Re: Snort-1.8.7 detection problems
From: "Wojciech Sobola" <wsobola () astercity net>
Date: Mon, 22 Jul 2002 22:56:04 +0200
OS Version? Do you see the same behavior from tcpdump? -- Chris Green <cmg () sourcefire com> Eschew obfuscation.
Linux version 2.4.18 (root () myhost pl) (gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-98)) #1 sro cze 19 17:32:11 CEST 2002 lsmod: Module Size Used by Not tainted ipt_mac 640 0 (autoclean) tulip 36832 3 tlan 24448 1 ipt_MIRROR 992 7 (autoclean) ipt_LOG 3392 9 (autoclean) ipt_psd 42816 2 (autoclean) ipt_REJECT 2752 3 (autoclean) ipt_state 576 8 (autoclean) iptable_nat 19636 1 (autoclean) ip_conntrack 20908 2 (autoclean) [ipt_state iptable_nat] ipt_TOS 960 4 (autoclean) ipt_MARK 704 6 (autoclean) iptable_mangle 2080 1 (autoclean) iptable_filter 1696 1 (autoclean) ip_tables 13248 13 [ipt_mac ipt_MIRROR ipt_LOG ipt_psd ipt_REJECT ipt_state iptable_nat ipt_TOS ipt_MARK iptable_mangle iptable_filter] ext3 61312 1 (autoclean) jbd 44068 1 (autoclean) [ext3] md 43968 0 rtc 5656 0 (autoclean) iptables-1.2.6a with some patches applied from distrib. tcpdump is ok. Other capturing software too. snort.conf (what I did): var HOME_NET [10.1.0.0/16,192.168.100.0/24,192.168.101.0/24] output database: log, mysql, user=me password=myPazzw0rd dbname=snort host=10.1.1.1 encoding=ascii with following rulez: include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/smtp.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/info.rules include $RULE_PATH/local.rules Remaining is default. snort paramz: root 11034 0.1 2.4 12368 3152 ? S Jul20 6:34 /usr/bin/snort -c /etc/snort/snort.conf -i eth1 -g snort -D -p That's all. On the same machine previous snort (1.8.n) had problems with udp only like this one with tcp/udp. Both work fine with icmp. Regards, Wojtek Sobola ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-1.8.7 detection problems Wojtek Sobola (Jul 20)
- <Possible follow-ups>
- RE: Snort-1.8.7 detection problems chae (Jul 20)
- Re: RE: Snort-1.8.7 detection problems Chris Green (Jul 22)
- Re:Snort-1.8.7 detection problems chae (Jul 22)
- Re: RE: Snort-1.8.7 detection problems Chris Green (Jul 22)
- Re: Snort-1.8.7 detection problems Wojciech Sobola (Jul 22)