Snort mailing list archives
Snort but no alert
From: "nyarlathothep\@libero\.it" <nyarlathothep () libero it>
Date: Wed, 12 May 2004 17:01:30 +0200
Hello everyone, I'm still here with my problem. I've a snort debian box that listen on an interface (eth1, without ip address) on the external net while is connected on eth0 to the internal net, interface that I use to read the data that Snort puts in the database. The problem that I dont receive rules alerts, except for ICMP destination unreaceable, but only preprocessor alert, even when I try to scan the box with Nessus or NMap. I hope that someone could help me, (ps I've attach my conf file, all the rules are sselected) Thanks, Matteo SNORT.CONF var HOME_NET 10.1.0.0/24 var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort/rules preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor stream4: disable_evasion_alerts detect_scans preprocessor stream4_reassemble preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile apache ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor flow-portscan: talker-sliding-scale-factor 0.50 talker-fixed-threshold 30 talker-sliding-threshold 30 talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker 30000 server-watchnet $HOME_NET server-ignore-limit 200 server-rows 65535 server-learning-time 14400 server-scanner-limit 4 scanner-sliding-window 20 scanner-sliding-scale-factor 0.50 scanner-fixed-threshold 15 scanner-sliding-threshold 40 scanner-fixed-window 15 scoreboard-rows-scanner 30000 src-ignore-net $HOME_NET dst-ignore-net [10.0.0.0/30] alert-mode once output-mode msg tcp-penalties on output database: alert, postgresql, user=postgres dbname=snort host=localhost include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules ... ALERT [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/12-15:47:42.319644 193.207.171.97 -> 151.11.129.212 ICMP TTL:247 TOS:0x20 ID:47996 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 151.11.129.212:135 -> 172.133.197.74:2249 TCP TTL:254 TOS:0x40 ID:0 IpLen:20 DgmLen:40 DF Seq: 0x0 Ack: 0x0 ** END OF DUMP [**] [121:4:1] Portscan detected from 200.191.164.142 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-15:49:09.988413 [**] [121:4:1] Portscan detected from 192.168.150.2 Talker(fixed: 2 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-15:50:39.821253 [**] [121:4:1] Portscan detected from 66.185.41.191 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-15:52:53.437042 [**] [105:1:1] (spo_bo) Back Orifice Traffic detected [**] 05/12-15:53:38.001287 192.168.150.2:53239 -> 213.178.220.130:31337 UDP TTL:61 TOS:0x0 ID:22741 IpLen:20 DgmLen:46 Len: 18 [**] [105:1:1] (spo_bo) Back Orifice Traffic detected [**] 05/12-15:53:40.994216 192.168.150.2:53239 -> 213.178.220.130:31337 UDP TTL:61 TOS:0x0 ID:22742 IpLen:20 DgmLen:46 Len: 18 [**] [121:4:1] Portscan detected from 210.95.44.31 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-16:07:01.105576 [**] [1:487:2] ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/12-16:07:27.486375 147.123.1.42 -> 213.178.220.1 ICMP TTL:62 TOS:0x0 ID:41603 IpLen:20 DgmLen:56 Type:3 Code:9 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED NETWORK FILTERED ** ORIGINAL DATAGRAM DUMP: 213.178.220.1:53 -> 69.50.179.2:60369 UDP TTL:61 TOS:0x0 ID:43291 IpLen:20 DgmLen:199 Len: 171 ** END OF DUMP [**] [1:487:2] ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/12-16:07:42.725148 147.123.1.42 -> 213.178.220.1 ICMP TTL:62 TOS:0x0 ID:46666 IpLen:20 DgmLen:56 Type:3 Code:9 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED NETWORK FILTERED ** ORIGINAL DATAGRAM DUMP: 213.178.220.1:53 -> 69.50.179.14:46007 UDP TTL:61 TOS:0x0 ID:43292 IpLen:20 DgmLen:199 Len: 171 ** END OF DUMP [**] [121:4:1] Portscan detected from 69.44.61.30 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-16:23:58.282652 [**] [121:4:1] Portscan detected from 151.11.129.54 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-16:28:50.508095 ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort but no alert nyarlathothep () libero it (May 12)
- RE: Snort but no alert Michael Steele (May 12)
- <Possible follow-ups>
- RE: Snort but no alert Nick Duda (May 12)
- RE: Snort but no alert nyarlathothep () libero it (May 13)
- RE: Snort but no alert nyarlathothep () libero it (May 17)