Re: default snort rules

[Abhijit Tikekar <abhijittikekar () gmail com>]

The $OPTION script and the value in daemon line were missing in snortd.
Added those and now I can see the options being used.

snort    41331  0.5  3.3 579460 269956 ?       Ssl  12:25   0:02
/usr/sbin/snort -d -D -i eth2 -u snort -g snort* -k none* -c
/etc/snort/snort.conf -l /var/log/snort/eth2

But no change in snort behavior yet. Started another full scan, included
options like DOS, Fragmented packets, bad traffic.. nothing recorded in
snort.log.

Thanks,

Abhi



On Thu, Jul 10, 2014 at 12:15 PM, Jeremy Hoel <jthoel () gmail com> wrote:

> Humm.. the options should show on the command line when invoked.
>
> Did you install snort via tarball or some rpm?
>
> Near the top of the init script i have for snort I see:
>
> # Source function library.
> . /etc/rc.d/init.d/functions
>
> # Source the local configuration file
> . /etc/sysconfig/snort
>
> # Convert the /etc/sysconfig/snort settings to something snort can
> # use on the startup line.
> if [ "$OPTIONS"X = "X" ]; then
>    OPTIONS="$OPTIONS"
> fi
>
>
> do you have that in yours?
>
>
> Then further down, during the case commands, you should see $OPTIONS in
> the line with daemon
>
>
>
> On Thu, Jul 10, 2014 at 4:07 PM, Abhijit Tikekar <abhijittikekar () gmail com
> > wrote:
>
> > Added OPTIONS=" -k none" towards end of /sysconfig/snort and restarted.
> > No errors, but process still doesn't show any new flag, does that look okay?
> >
> > snort    40088  0.3  3.1 579436 254884 ?       Ssl  11:54   0:00
> > /usr/sbin/snort -d -D -i eth2 -u snort -g snort -c /etc/snort/snort.conf -l
> > /var/log/snort/eth2
> >
> >
> > Re ran the scan.. no activity in snort. The latest snort.log.TIMESTAMP
> > file stays at 0 bytes.
> >
> > Thanks,
> >
> > Abhi
> >
> >
> > On Thu, Jul 10, 2014 at 11:33 AM, Jeremy Hoel <jthoel () gmail com> wrote:
> >
> > > in /etc/sysconfig/snort at the bottom is OPTIONS=" "   add the -k there.
> > > If it's not there, add it and that should work and should be picked up from
> > > the init script.
> > >
> > > ie:  OPTIONS=" -k none "
> > >
> > >
> > > On Thu, Jul 10, 2014 at 3:24 PM, Abhijit Tikekar <
> > > abhijittikekar () gmail com> wrote:
> > >
> > > > Thanks for the responses.
> > > >
> > > > I checked the current snort instance.. it's not running with "-k none"..
> > > >
> > > > snort    37452  0.3  3.3 579264 273292 ?       Ssl  10:47   0:05
> > > > /usr/sbin/snort -d -D -i eth2 -u snort -g snort -c /etc/snort/snort.conf -l
> > > > /var/log/snort/eth2
> > > >
> > > > How do I add "-k none" option in the daemon mode? It wasn't there under
> > > > /etc/sysconfig/snort
> > > >
> > > > Although, I did find "config checksum_mode: all" under snort.conf.. I
> > > > changed it from "all" to "none"  [ Is this the same as adding -k none? ]
> > > >
> > > > restarted snortd but it still cannot see any scans from pytbull.
> > > > Verified using tcpdump that traffic from pytbull is coming to the
> > > > interface, and if I edit icmp.rules and add a test "any any" rule, then it
> > > > start detecting all icmp packets as "DELETED ICMP Source Quench".. but
> > > > nothing else. Not sure if it's a missing snort config param or if the
> > > > default rules are not tailored for something like pytbull.
> > > >
> > > > Thanks,
> > > >
> > > > Abhi
> > > >
> > > >
> > > >
> > > > On Tue, Jul 8, 2014 at 6:19 PM, Joel Esler (jesler) <jesler () cisco com>
> > > > wrote:
> > > >
> > > > >  On Jul 8, 2014, at 2:27 PM, Abhijit Tikekar <abhijittikekar () gmail com>
> > > > > wrote:
> > > > >
> > > > >   I am a new snort user. Current implementation is snort-2.9.6.1 on
> > > > > CentOS 6.4 along with barnyard and snorby. My question is regarding the
> > > > > ruleset which I downloaded as a registered user.
> > > > >
> > > > >  Many of the rule files are empty, e.g, icmp.rules, or ddos.rules. Are
> > > > > these supposed to be empty?
> > > > >
> > > > >
> > > > >  Yes, these rules have transitioned to new categories per the policy
> > > > > realignment.
> > > > >
> > > > >  The reason I am asking is because when I used pytbull against snort
> > > > > to test, snort.log never recorded anything.
> > > > > When I add a test icmp rule(alert icmp any any -> any any (msg:"ICMP
> > > > > Packet"; sid:477; rev:3;), then only that is captured by snort, nothing
> > > > > else.
> > > > >
> > > > >  How much tuning should I do to my default snort ruleset before
> > > > > noticing any alerts by scans from pytbull etc?
> > > > > Is the default snort implementation capable of detecting such attacks?
> > > > > I enabled all options in pytbull while scanning, e.g. Fragmented packets,
> > > > > brute force, shellcodes, DOS etc..
> > > > >
> > > > >  Ruleset used: *snortrules-snapshot-2961.tar.gz*
> > > > >
> > > > >
> > > > >  having not tested pytbull myself successfully, id say take a look at
> > > > > the Snort faq.
> > > > >
> > > > >
> > > > > https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md
> > > > >
> > > > >  --
> > > > > *Joel Esler*
> > > > > Open Source Manager
> > > > > Threat Intelligence Team Lead
> > > > > Vulnerability Research Team
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > Open source business process management suite built on Java and Eclipse
> > > > Turn processes into business applications with Bonita BPM Community
> > > > Edition
> > > > Quickly connect people, data, and systems into organized workflows
> > > > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > > > http://p.sf.net/sfu/Bonitasoft
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > Snort news!
> >
> >
> > ------------------------------------------------------------------------------
> > Open source business process management suite built on Java and Eclipse
> > Turn processes into business applications with Bonita BPM Community
> > Edition
> > Quickly connect people, data, and systems into organized workflows
> > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > http://p.sf.net/sfu/Bonitasoft
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!