RE: Snort but no alert

["Michael Steele" <michaels () winsnort com>]

Make sure that if you are on a switch that it is mirrored. From a terminal
take your run line and add a -T to the end and see if that generates any
error. It will also show you how many rules that Snort has read in.

Are you sure that the scan is being seen by Snort. Do a TCP dump on eth1 to
see if Snort is actually seeing the scan. Also do a tcp dump of port 3306 to
make sure the alert is getting to MySQL.

Kindest regards, 
Michael...

WINSNORT.com Management Team Member
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support () winsnort com
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org



> -----Original Message-----
> From: snort-users-admin () lists sourceforge net [mailto:snort-users-
> admin () lists sourceforge net] On Behalf Of nyarlathothep () libero it
> Sent: Wednesday, May 12, 2004 8:01 AM
> To: snort-users
> Subject: [Snort-users] Snort but no alert
>
> Hello everyone,
> I'm still here with my problem.
> I've a snort debian box that listen on an interface (eth1, without ip
> address)
> on the external net while is connected on eth0 to the internal net,
> interface
> that I use to read the data that Snort puts in the database.
> The problem that I dont receive rules alerts, except for ICMP destination
> unreaceable, but only preprocessor alert, even when I try to scan the box
> with
> Nessus or NMap.
> I hope that someone could help me,
>
> (ps I've attach my conf file, all the rules are sselected)
>
> Thanks,
>
> Matteo
>
> SNORT.CONF
>
> var HOME_NET 10.1.0.0/24
> var EXTERNAL_NET any
> var DNS_SERVERS $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var SNMP_SERVERS $HOME_NET
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var AIM_SERVERS
> [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64
> .12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
>
> var RULE_PATH /etc/snort/rules
>
> preprocessor flow: stats_interval 0 hash 2
>
> preprocessor frag2
> preprocessor stream4: disable_evasion_alerts detect_scans
> preprocessor stream4_reassemble
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: server default profile apache ports { 80
> 8080
> 8180 } oversize_dir_length 500
>
> preprocessor rpc_decode: 111 32771
>                                                              preprocessor
> bo
>
>                                           preprocessor telnet_decode
>
>
>
>      preprocessor flow-portscan: talker-sliding-scale-factor 0.50
> talker-fixed-threshold 30 talker-sliding-threshold 30 talker-sliding-
> window 20
> talker-fixed-window 30 scoreboard-rows-talker 30000 server-watchnet
> $HOME_NET
> server-ignore-limit 200 server-rows 65535 server-learning-time 14400
> server-scanner-limit 4 scanner-sliding-window 20 scanner-sliding-scale-
> factor
> 0.50 scanner-fixed-threshold 15 scanner-sliding-threshold 40
> scanner-fixed-window 15 scoreboard-rows-scanner 30000 src-ignore-net
> $HOME_NET
> dst-ignore-net [10.0.0.0/30] alert-mode once output-mode msg tcp-penalties
> on
>
>
>
>
>
> output database: alert, postgresql, user=postgres dbname=snort
> host=localhost
>
>
> include classification.config
>                                                               include
> reference.config
>
>
>
>
> include $RULE_PATH/local.rules
>                                                               include
> $RULE_PATH/bad-traffic.rules
>                                                       include
> $RULE_PATH/exploit.rules
> ...
>
>
>
> ALERT
>
> [**] [1:485:2] ICMP Destination Unreachable (Communication
> Administratively
> Prohibited) [**]
> [Classification: Misc activity] [Priority: 3]
> 05/12-15:47:42.319644 193.207.171.97 -> 151.11.129.212
> ICMP TTL:247 TOS:0x20 ID:47996 IpLen:20 DgmLen:56
> Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
> PACKET FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 151.11.129.212:135 -> 172.133.197.74:2249
> TCP TTL:254 TOS:0x40 ID:0 IpLen:20 DgmLen:40 DF
> Seq: 0x0  Ack: 0x0
> ** END OF DUMP
>
> [**] [121:4:1] Portscan detected from 200.191.164.142 Talker(fixed: 30
> sliding:
> 30) Scanner(fixed: 0 sliding: 0) [**]
> 05/12-15:49:09.988413
>
> [**] [121:4:1] Portscan detected from 192.168.150.2 Talker(fixed: 2
> sliding: 30)
> Scanner(fixed: 0 sliding: 0) [**]
> 05/12-15:50:39.821253
>
> [**] [121:4:1] Portscan detected from 66.185.41.191 Talker(fixed: 30
> sliding:
> 30) Scanner(fixed: 0 sliding: 0) [**]
> 05/12-15:52:53.437042
>
> [**] [105:1:1] (spo_bo) Back Orifice Traffic detected [**]
> 05/12-15:53:38.001287 192.168.150.2:53239 -> 213.178.220.130:31337
> UDP TTL:61 TOS:0x0 ID:22741 IpLen:20 DgmLen:46
> Len: 18
>
> [**] [105:1:1] (spo_bo) Back Orifice Traffic detected [**]
> 05/12-15:53:40.994216 192.168.150.2:53239 -> 213.178.220.130:31337
> UDP TTL:61 TOS:0x0 ID:22742 IpLen:20 DgmLen:46
> Len: 18
>
> [**] [121:4:1] Portscan detected from 210.95.44.31 Talker(fixed: 30
> sliding: 30)
> Scanner(fixed: 0 sliding: 0) [**]
> 05/12-16:07:01.105576
>
> [**] [1:487:2] ICMP Destination Unreachable (Communication with
> Destination
> Network is Administratively Prohibited) [**]
> [Classification: Misc activity] [Priority: 3]
> 05/12-16:07:27.486375 147.123.1.42 -> 213.178.220.1
> ICMP TTL:62 TOS:0x0 ID:41603 IpLen:20 DgmLen:56
> Type:3  Code:9  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED
> NETWORK
> FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 213.178.220.1:53 -> 69.50.179.2:60369
> UDP TTL:61 TOS:0x0 ID:43291 IpLen:20 DgmLen:199
> Len: 171
> ** END OF DUMP
>
> [**] [1:487:2] ICMP Destination Unreachable (Communication with
> Destination
> Network is Administratively Prohibited) [**]
> [Classification: Misc activity] [Priority: 3]
> 05/12-16:07:42.725148 147.123.1.42 -> 213.178.220.1
> ICMP TTL:62 TOS:0x0 ID:46666 IpLen:20 DgmLen:56
> Type:3  Code:9  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED
> NETWORK
> FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 213.178.220.1:53 -> 69.50.179.14:46007
> UDP TTL:61 TOS:0x0 ID:43292 IpLen:20 DgmLen:199
> Len: 171
> ** END OF DUMP
>
> [**] [121:4:1] Portscan detected from 69.44.61.30 Talker(fixed: 30
> sliding: 30)
> Scanner(fixed: 0 sliding: 0) [**]
> 05/12-16:23:58.282652
>
> [**] [121:4:1] Portscan detected from 151.11.129.54 Talker(fixed: 30
> sliding:
> 30) Scanner(fixed: 0 sliding: 0) [**]
> 05/12-16:28:50.508095
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Sleepycat Software
> Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
> deliver higher performing products faster, at low TCO.
> http://www.sleepycat.com/telcomwpreg.php?From=dnemail3
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users





-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users