Snort mailing list archives

RE: Snort won't log anything! Please help...

From: Erek Adams <erek () snort org>
Date: Fri, 28 Mar 2003 16:52:37 -0500 (EST)

On Fri, 28 Mar 2003, Kalteis, Nico (Contractor) wrote:

[...snip...]

The snort.conf file itself is basically untouched, except that I included
the single rule:

alert tcp any any -> any 80

which is the only way I could log SOMEthing.  The moment I put the real
CMD.EXE rule (the one I used as an example) nothing got logged.


Ok, then you've just proved that snort works just fine.  It's simply an
understanding of the rules language and the way you're expecting things.

Lets look at the rule you mean.  From web-iis.rules:

  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
  cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase;
  classtype:web-application-attack; sid:1002;  rev:5;)

Note that section there called 'flow'?  That's what's confusing you.  It
means that you _must_ have a 'to server connection that is established'
for this to fire.  Established would mean that the TCP three way handshake
had been completed.

As for the rest of the snort.conf....  Change your HOME_NET, EXTERNAL_NET
and RULE_PATH to reflect your setup.  Try using 'output alert_full: alert'
as your output method.  That'll give you text info as opposed to the
binary logs from unified.  If you can't get alert_full to work, try not
using any output plugin.  That'll just do text dumps into the directory
specified with -l <foo>.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort won't log anything! Please help... Kalteis, Nico (Contractor) (Mar 28)
- <Possible follow-ups>
- RE: Snort won't log anything! Please help... Kalteis, Nico (Contractor) (Mar 28)
  - RE: Snort won't log anything! Please help... Erek Adams (Mar 28)
- RE: Snort won't log anything! Please help... Kalteis, Nico (Contractor) (Mar 28)
  - RE: Snort won't log anything! Please help... Erek Adams (Mar 28)