Snort mailing list archives

Previous By Date Next
Previous By Thread Next

[Snort 2.2.0] Rules won't trigger

From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Thu, 20 Jan 2005 11:40:57 +0100
Hithere!
I have a problem I cannot find the error in my config. However, rules won't trigger for some reason. Would somebody please be so kind to take a look and open my eyes. Thx in advance. 

Snort is 2.2.0 started for the test like this:

snort -c snort.conf_eth1 -i eth1 -A console -N

I have these rules:
alert tcp 172.16.0.1 any -> 172.16.0.254 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;) 

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"GOT IT!";)

Then I try to login as MySQWL-root from another machine:

$ mysql -h 172.16.0.254 -u root -p

->
01/20/05-11:33:39.774072 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306 01/20/05-11:33:39.774190 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306 01/20/05-11:33:39.774707 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306 01/20/05-11:33:39.774980 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306 01/20/05-11:33:39.775335 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306 

Can anybody please explain this to me?

Thx & regards,
Edin

The config file:

var HOME_NET [172.16.0.254/32,10.0.0.0/24]

var EXTERNAL_NET !$HOME_NET

var HTTP_SERVERS [172.16.0.254/32,10.0.0.0/24]
var SQL_SERVERS [172.16.0.254/32]
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var RULE_PATH ./snortrules
preprocessor frag2: timeout 60, memcap 8388608
preprocessor stream4: disable_evasion_alerts, timeout 120, memcap 33554432
preprocessor stream4_reassemble: both, ports 22 25 53 80 3306
preprocessor flow: stats_interval 0 hash 2
output log_unified: filename unified.log, limit 512
output alert_unified: filename unified.alert, limit 512
config set_gid: snort
config interface: eth1
config alert_with_interface_name
config disable_decode_alerts
config logdir: /var/log/snort
config umask: 027
config set_uid: snort
config show_year
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config detection: search-method lowmem
config threshold: memcap 8388608
config checksum_mode: none
include classification.config
include reference.config
include $RULE_PATH/local.rules

local.rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"GOT IT!";)
alert tcp 172.16.0.1 any -> 172.16.0.254 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;) 

Full log:

[root@victim snort]# snort -c snort.conf_eth1 -i eth1 -A console -N
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth1

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort.conf_eth1

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
[*] Frag2 config:
    Fragment timeout: 60 seconds
    Fragment memory cap: 8388608 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    State Protection: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 120 seconds
    Session memory cap: 33554432 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 22 25 53 80 3306
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
command line overrides rules file logging plugin!
command line overrides rules file alert plugin!

Initializing Network Interface eth1
Found logdir config directive (/var/log/snort)
Detection:
   Search-Method = Low-Mem Trie
2 Snort rules read...
2 Option Chains linked into 2 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++


+-----------------------[thresholding-config]----------------------------------
| memory-cap : 8388608 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.2.0 (Build 30)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
01/20/05-11:40:24.597428 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306 01/20/05-11:40:24.597536 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306 01/20/05-11:40:24.598304 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306 01/20/05-11:40:24.598622 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306 01/20/05-11:40:24.599022 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306 


--
Edin Dizdarevic


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: