Re: Only an empty Alert file :(

[Dean Farwood <dean_farwood () comcast net>]

Thanks Joel,
I'll try it but, since I can see the word "password" on the ASCII dump on the terminal, I'm guessing that's not it. 
Also I would think I'd get the logged directories with the IP addresses of the communicating computers and the captured 
packets but I get nothing but that empty alert.

What makes me feel dumber is that I tried it on a Windows snort box too and the same thing happened. 

Sent from my iPhone

On Mar 12, 2012, at 5:35 AM, Joel Esler <jesler () sourcefire com> wrote:

> I suggest you capture the packet to disk.  Then you can use Snort to read the pcap with -r.
>
> You need to review the pcap to see if the word "password" really does exist in plaintext in the stream.
>
>
> I am betting it doesn't.
>
> J
>
> On Mar 11, 2012, at 6:40 PM, Dean Farwood wrote:
>
> > Hello,
> >  
> > I’m running Snort 2.8.5.2 (Build 121) on Ubuntu 11.10 with 3.0.0-16-generic kernel.
> >  
> > I have written the following rule called /etc/snort/rules/password.rules:
> >  
> > alert tcp any any <> 192.168.1.110 any (content:”password”; msg:”Potential Password Violation”; sid: 11995522;)
> >  
> > My snort command is:
> > snort -dev -c /etc/snort/snort.conf -l /etc/snort/log2 -K ascii
> >  
> > I then transfer a file with the word “password” in it from the Linux system to a Windows system using Samba. The 
> > packets are captured as evidenced by the terminal display. The Windows system successfully authenticates to Samba 
> > and the file can be viewed on the Windows system.
> >  
> > PROBLEM: No directories are created in the /etc/snort/log2 directories. Only an empty “Alert” file appears.
> >  
> > If I run a command like:
> >  
> > snort –dev –l /etc/snort/log2 –K ascii
> >  
> > I get normal logging directories with IP address directory names etc.
> >  
> > This command also results in nothing in /etc/snort/log2 except the empty alert file.
> > snort –dev –c /etc/snort/rules/password.rules –l /etc/snort/log2 –K ascii
> >  
> > REQUEST: Any help I can get to allow proper logging when using the –c option would be much appreciated.
> >  
> > Thanks,
> >  
> > Dean
> >  
> >  
> >  
> >  
> >  
> >  
> > snort -dev -c /etc/snort/snort.conf -l /etc/snort/log2 -K ascii
> > ------------------------------------------------------------------------------
> > Virtualization & Cloud Management Using Capacity Planning
> > Cloud computing makes use of virtualization - but cloud computing 
> > also focuses on allowing computing to be delivered as a service.
> > http://www.accelacomm.com/jaw/sfnl/114/51521223/_______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!