Snort mailing list archives
Snort but no alert
From: "nyarlathothep\@libero\.it" <nyarlathothep () libero it>
Date: Wed, 12 May 2004 17:01:30 +0200
Hello everyone,
I'm still here with my problem.
I've a snort debian box that listen on an interface (eth1, without ip address)
on the external net while is connected on eth0 to the internal net, interface
that I use to read the data that Snort puts in the database.
The problem that I dont receive rules alerts, except for ICMP destination
unreaceable, but only preprocessor alert, even when I try to scan the box with
Nessus or NMap.
I hope that someone could help me,
(ps I've attach my conf file, all the rules are sselected)
Thanks,
Matteo
SNORT.CONF
var HOME_NET 10.1.0.0/24
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile apache ports { 80 8080
8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: talker-sliding-scale-factor 0.50
talker-fixed-threshold 30 talker-sliding-threshold 30 talker-sliding-window 20
talker-fixed-window 30 scoreboard-rows-talker 30000 server-watchnet $HOME_NET
server-ignore-limit 200 server-rows 65535 server-learning-time 14400
server-scanner-limit 4 scanner-sliding-window 20 scanner-sliding-scale-factor
0.50 scanner-fixed-threshold 15 scanner-sliding-threshold 40
scanner-fixed-window 15 scoreboard-rows-scanner 30000 src-ignore-net $HOME_NET
dst-ignore-net [10.0.0.0/30] alert-mode once output-mode msg tcp-penalties on
output database: alert, postgresql, user=postgres dbname=snort host=localhost
include classification.config
include
reference.config
include $RULE_PATH/local.rules
include
$RULE_PATH/bad-traffic.rules
include
$RULE_PATH/exploit.rules
...
ALERT
[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively
Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
05/12-15:47:42.319644 193.207.171.97 -> 151.11.129.212
ICMP TTL:247 TOS:0x20 ID:47996 IpLen:20 DgmLen:56
Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
151.11.129.212:135 -> 172.133.197.74:2249
TCP TTL:254 TOS:0x40 ID:0 IpLen:20 DgmLen:40 DF
Seq: 0x0 Ack: 0x0
** END OF DUMP
[**] [121:4:1] Portscan detected from 200.191.164.142 Talker(fixed: 30 sliding:
30) Scanner(fixed: 0 sliding: 0) [**]
05/12-15:49:09.988413
[**] [121:4:1] Portscan detected from 192.168.150.2 Talker(fixed: 2 sliding: 30)
Scanner(fixed: 0 sliding: 0) [**]
05/12-15:50:39.821253
[**] [121:4:1] Portscan detected from 66.185.41.191 Talker(fixed: 30 sliding:
30) Scanner(fixed: 0 sliding: 0) [**]
05/12-15:52:53.437042
[**] [105:1:1] (spo_bo) Back Orifice Traffic detected [**]
05/12-15:53:38.001287 192.168.150.2:53239 -> 213.178.220.130:31337
UDP TTL:61 TOS:0x0 ID:22741 IpLen:20 DgmLen:46
Len: 18
[**] [105:1:1] (spo_bo) Back Orifice Traffic detected [**]
05/12-15:53:40.994216 192.168.150.2:53239 -> 213.178.220.130:31337
UDP TTL:61 TOS:0x0 ID:22742 IpLen:20 DgmLen:46
Len: 18
[**] [121:4:1] Portscan detected from 210.95.44.31 Talker(fixed: 30 sliding: 30)
Scanner(fixed: 0 sliding: 0) [**]
05/12-16:07:01.105576
[**] [1:487:2] ICMP Destination Unreachable (Communication with Destination
Network is Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
05/12-16:07:27.486375 147.123.1.42 -> 213.178.220.1
ICMP TTL:62 TOS:0x0 ID:41603 IpLen:20 DgmLen:56
Type:3 Code:9 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED NETWORK
FILTERED
** ORIGINAL DATAGRAM DUMP:
213.178.220.1:53 -> 69.50.179.2:60369
UDP TTL:61 TOS:0x0 ID:43291 IpLen:20 DgmLen:199
Len: 171
** END OF DUMP
[**] [1:487:2] ICMP Destination Unreachable (Communication with Destination
Network is Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
05/12-16:07:42.725148 147.123.1.42 -> 213.178.220.1
ICMP TTL:62 TOS:0x0 ID:46666 IpLen:20 DgmLen:56
Type:3 Code:9 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED NETWORK
FILTERED
** ORIGINAL DATAGRAM DUMP:
213.178.220.1:53 -> 69.50.179.14:46007
UDP TTL:61 TOS:0x0 ID:43292 IpLen:20 DgmLen:199
Len: 171
** END OF DUMP
[**] [121:4:1] Portscan detected from 69.44.61.30 Talker(fixed: 30 sliding: 30)
Scanner(fixed: 0 sliding: 0) [**]
05/12-16:23:58.282652
[**] [121:4:1] Portscan detected from 151.11.129.54 Talker(fixed: 30 sliding:
30) Scanner(fixed: 0 sliding: 0) [**]
05/12-16:28:50.508095
-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort but no alert nyarlathothep () libero it (May 12)
- RE: Snort but no alert Michael Steele (May 12)
- <Possible follow-ups>
- RE: Snort but no alert Nick Duda (May 12)
- RE: Snort but no alert nyarlathothep () libero it (May 13)
- RE: Snort but no alert nyarlathothep () libero it (May 17)