Snort mailing list archives
rules not triggering
From: bofh <goodb0fh () gmail com>
Date: Fri, 13 Aug 2004 09:07:44 -0500
Hi,
Basic install of snort from openbsd 3.5's port collection, snort 2.0.0.
Rules are the ones I downloaded today, Aug 12, 2004.
After installing it, I run it with the following comand line:
% snort -A fast -c /etc/snort.conf -I -D
/etc/snort.conf is default, with the following changes:
var RULE_PATH /etc/snort/rules
include /etc/snort/classification.config
include /etc/snort/reference.config
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/virus.rules
I then hop over to another machine on the same hub, and google
for "nude cheerleader".
Why is snort not catching any nude cheerleaders?
snort creates /var/log/snort/alert, but it stays empty.
It sees the traffic though, because, if I do a:
% snort -v host 192.168.11.134 and port 3128
I get a whole bunch of
08/12-17:22:39.394159 192.168.11.134:4510 -> 192.168.11.253:3128
TCP TTL:128 TOS:0x0 ID:23551 IpLen:20 DgmLen:48 DF
******S* Seq: 0xF304593D Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/12-17:22:39.394238 192.168.11.253:3128 -> 192.168.11.134:4510
TCP TTL:64 TOS:0x0 ID:6284 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x25D4274 Ack: 0xF304593E Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/12-17:22:39.394410 192.168.11.134:4510 -> 192.168.11.253:3128
TCP TTL:128 TOS:0x0 ID:23552 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xF304593E Ack: 0x25D4275 Win: 0xFFFF TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
and when I Ctrl-C out of snort, I get:
Snort analyzed 545 out of 545 packets, dropping 0(0.000%) packets
Breakdown by protocol: Action Stats:
TCP: 27 (4.954%) ALERTS: 0
UDP: 0 (0.000%) LOGGED: 0
ICMP: 0 (0.000%) PASSED: 0
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
===============================================================================
Wireless Stats:
Breakdown by type:
Management Packets: 0 (0.000%)
Control Packets: 0 (0.000%)
Data Packets: 0 (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0 (0.000%)
Fragment Trackers: 0
Rebuilt IP Packets: 0
Frag elements used: 0
Discarded(incomplete): 0
Discarded(timeout): 0
Frag2 memory faults: 0
===============================================================================
TCP Stream Reassembly Stats:
TCP Packets Used: 0 (0.000%)
Stream Trackers: 0
Stream flushes: 0
Segments used: 0
Stream4 Memory Faults: 0
===============================================================================
Snort exiting
Thanx.
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- I don't see no porn bofh (Aug 12)
- rules not triggering bofh (Aug 13)
- Re: rules not triggering stephane nasdrovisky (Aug 13)
- rules not triggering bofh (Aug 13)