Snort mailing list archives
snort nmap not working
From: Mustafa Karci <mk () theipcompany nl>
Date: Tue, 26 Nov 2013 12:10:50 +0100
hi all, i have some problems with snort. The case is : I set up a snort-2.9.5.5-1.x86_64 + barnyard2 + base on a CentOS 6 64 bit. This is working correctly, when i add a test rule like below, this is working oke. I can see the that the snort is writing to the snort-unified2.log and banryard is taking this and write this to the mysql database. alert icmp any any -> any any (msg:"ICMP test"; sid:200001; rev:100001;) I also configurated the fsportscan in the snort.conf # Portscan detection. For more information, see README.sfportscan preprocessor sfportscan: proto { all } \ scan_type { all } \ sense_level { high } #logfile { pscan1.log } But when i do a nmap -sS xxx.xxxx.xxx.xxx to the snort machine it will not generated any alerts!!! but when i disable the logfile { pscan1.log } I will get an out put to the pscan1.log in the /var.log/snort/pscan1.log...But this only works for the nmap -sS xxx.xxx.xxx.xxx commando. So my question is what am i doing wrong. And on other thing i don`t get it is, is there an dynamic predecessor library for the port-scan?? This couldn't b it because it will not generate a portscan alert in the pscan1.log... here are the results of the config: *snort.conf:* # Setup the network addresses you are protecting ipvar HOME_NET xxx.xxx.xxx.xxx/22 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET # Portscan detection. For more information, see README.sfportscan preprocessor sfportscan: proto { all } \ scan_type { all } \ sense_level { high } #logfile { pscan1.log } var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/rules/so_rules var PREPROC_RULE_PATH ../preproc_rules # path to dynamic preprocessor libraries dynamicpreprocessor directory /usr/lib64/snort-2.9.5.5_dynamicpreprocessor/ # path to base preprocessor engine dynamicengine /usr/lib64/snort-2.9.5.5_dynamicengine/libsf_engine.so # path to dynamic rules libraries #dynamicdetection directory /usr/local/lib/snort_dynamicrules # Inline packet normalization. For more information, see README.normalize # Does nothing in IDS mode preprocessor normalize_ip4 preprocessor normalize_tcp: ips ecn stream preprocessor normalize_icmp4 preprocessor normalize_ip6 preprocessor normalize_icmp6 # unified2 # Recommended for most installs output unified2: filename snort-unified2.log, limit 128 # syslog # output alert_syslog: LOG_ALERT # pcap # output log_tcpdump: tcpdump.log # metadata reference data. do not modify these lines include classification.config include reference.config include $RULE_PATH/test.rules include $RULE_PATH/local.rules include $RULE_PATH/scan.rules include $RULE_PATH/server-mssql.rules include $RULE_PATH/server-mysql.rule # decoder and preprocessor event rules # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules include threshold.conf */etc/sysconfig/snort* INTERFACE=eth1 CONF=/etc/snort/snort.confCONF=/etc/snort/snort.conf # ALERTMODE=fastq # BINARY_LOG=1 barnyard2.conf: config interface: eth1 input unified2 output database: alert, mysql, user=snort password=snort dbname=snort host=localhost *start snort + barnyard* /etc/init.d/snortd start barnyard2 -c /etc/barnyard2/barnyard2.conf -d /var/log/snort -f snort-unified2.log -w /etc/barnyard2/barnyard2.waldo -D *output /var/log/message* Detection: Nov 26 11:16:30 NFS1-1 snort[11083]: Search-Method = AC-Full-Q Nov 26 11:16:30 NFS1-1 snort[11083]: Split Any/Any group = enabled Nov 26 11:16:30 NFS1-1 snort[11083]: Search-Method-Optimizations = enabled Nov 26 11:16:30 NFS1-1 snort[11083]: Maximum pattern length = 20 Nov 26 11:16:30 NFS1-1 snort[11083]: Tagged Packet Limit: 256 Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic engine /usr/lib64/snort-2.9.5.5_dynamicengine/libsf_engine.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Loading all dynamic preprocessor libs from /usr/lib64/snort-2.9.5.5_dynamicpreprocessor/... Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_gtp_preproc.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_ftptelnet_preproc.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_sdf_preproc.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_smtp_preproc.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_dce2_preproc.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_dns_preproc.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_ssh_preproc.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_reputation_preproc.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_pop_preproc.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_dnp3_preproc.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_sip_preproc.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_imap_preproc.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_modbus_preproc.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_ssl_preproc.so... Nov 26 11:16:30 NFS1-1 snort[11083]: done Nov 26 11:16:30 NFS1-1 snort[11083]: Finished Loading all dynamic preprocessor libs from /usr/lib64/snort-2.9.5.5_dynamicpreprocessor/ Nov 26 11:16:30 NFS1-1 snort[11083]: Log directory = /var/log/snort Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: ip4 normalizations disabled because not inline. Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: tcp normalizations disabled because not inline. Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: icmp4 normalizations disabled because not inline. Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: ip6 normalizations disabled because not inline. Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: icmp6 normalizations disabled because not inline. Nov 26 11:16:30 NFS1-1 snort[11084]: Daemon initialized, signaled parent pid: 11083 Nov 26 11:16:30 NFS1-1 snort[11084]: Reload thread starting... Nov 26 11:16:30 NFS1-1 snort[11084]: Reload thread started, thread 0x7fb89afd5700 (11086) Nov 26 11:16:30 NFS1-1 snort[11084]: Decoding Ethernet Nov 26 11:16:30 NFS1-1 snort[11084]: Checking PID path... Nov 26 11:16:30 NFS1-1 snort[11084]: PID path stat checked out ok, PID path set to /var/run/ Nov 26 11:16:30 NFS1-1 snort[11084]: Writing PID "11084" to file "/var/run//snort_eth1.pid" Nov 26 11:16:30 NFS1-1 snort[11084]: Set gid to 500 Nov 26 11:16:30 NFS1-1 snort[11084]: Set uid to 500 Nov 26 11:16:30 NFS1-1 snort[11084]: Nov 26 11:16:30 NFS1-1 snort[11084]: --== Initialization Complete ==-- Nov 26 11:16:30 NFS1-1 snort[11084]: Commencing packet processing (pid=11084) Nov 26 11:16:31 NFS1-1 barnyard2[7020]: Closing spool file '/var/log/snort/snort-unified2.log.1385467902'. Read 0 records Nov 26 11:16:31 NFS1-1 barnyard2[7020]: Opened spool file '/var/log/snort/snort-unified2.log.1385468190' Nov 26 11:16:31 NFS1-1 barnyard2[7020]: Waiting for new data kind regards
------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort nmap not working Mustafa Karci (Nov 26)