Re: Configuring Snort

[Tony Robinson <deusexmachina667 () gmail com>]

I'm guessing if you're running barnyard 2, you're logging in unified 2
format, correct? Are the unified files growing in size during/after the
hail mary attack? If they're growing and you're not getting alerts,
barnyard likely doesn't have rights to log to the database. If this is not
the case, are you using a web frontend, and what user are you using to
access the mysql database? they don't have access to read from the database
and display it on your frontend.

Is the interface snort is listening  in promiscuous mode?

You indicated earlier that you were able to get portscan alerts, but what
KIND of portscan alerts did you get?

What are HOME and EXTERNAL_NET set to in snort.conf?

It may sound stupid, but try running snort -i [interface name] and verify
the interface is getting traffic at all.

Another option would be to use tcpdump and utilizing a BPF, grab a packet
capture from the same interface snort is listening on to verify it's
picking up the attack traffic if the snort command I listed a moment ago
DOES run. Here's an example tcpdump command to run to capture 500 packets
over port 80:

tcpdump -i [snort's listening interface] -s 1518 -c 500 -w
/home/[username]/webcap.pcap tcp and port 80

this tells tcpdump "capture 500 packets on port 80, capture the entire
packet length, and write this traffic to a pcap."

Browse the web when you do this. 500 packets should be very easy to get. If
this command doesn't complete or takes a very long time to complete, snort
is having a hard time getting traffic, I would think.

Hope this helps,

tony/da667





On Fri, Aug 24, 2012 at 11:50 PM, Damien Hull <dhull () section9 us> wrote:

> I just did a metasploit hail mary attack and snort didn't detect
> anything. I'm assuming I should see something about web attacks.
>
> What am I missing?
>
>
> On Fri, Aug 24, 2012 at 4:47 PM, Damien Hull <dhull () section9 us> wrote:
> > Marcos,
> >
> > Thanks for the info. I had the var PREPROC_RULE_PATH set. I went
> > through the config file and found that the following lines were
> > commented out.
> >
> > # decoder and preprocessor event rules
> > include $PREPROC_RULE_PATH/preprocessor.rules
> > include $PREPROC_RULE_PATH/decoder.rules
> > include $PREPROC_RULE_PATH/sensitive-data.rules
> >
> > After enabling them snort picked up my port scan.
> >
> > Other rules are commented out. I need to figure out which ones to
> > enable. I'll save that for later. At least I know some of the rules
> > are working.
> >
> > On Fri, Aug 24, 2012 at 11:35 AM, Marcos Rodriguez
> > <marcos.e.rodriguez () gmail com> wrote:
> > > On Fri, Aug 24, 2012 at 3:04 PM, Damien Hull <dhull () section9 us> wrote:
> > > > I've snort installed but the rules don't seem to be working. Here's
> > > > what I have.
> > > >
> > > > snort: 2.9.3.1
> > > > snort rules: 2.9.2.3
> > > > OS: Ubuntu 10.04 LTS
> > > > Other: Barnyard2
> > > >
> > > > I know snort and barnyard2 are working. I added the following to
> > > > local.rules and it works.
> > > >           alert icmp any any -> any any (msg: "ICMP Packet found";
> > > > sid:1001;)
> > > >
> > > > I commented out the dynamic detection stuff because that wasn't
> > > > loading. I was told my version of snort rules won't work with snort
> > > > 2.9.3.1
> > > >           # path to dynamic rules libraries
> > > >           # dynamicdetection directory
> > > > /usr/local/snort/lib/snort_dynamicrules
> > > >
> > > > I have the scanning section configured. I thought that would allow me
> > > > to scan the system and snort would trigger an alert. No such luck.
> > > >          # Portscan detection.  For more information, see
> > > > README.sfportscan
> > > >          preprocessor sfportscan: proto  { all } scan_type { all }
> > > > memcap { 10000000 } s$
> > > >
> > > > Why does the simple rule in local.rules work but a port scan doesn't
> > > > get detected?
> > >
> > > Hiya Damien,
> > >
> > > Sounds like maybe you're not loading your preprocessor.rules file.  The
> > > portscan rules are in that file, under preproc_rules.  Does this line
> exist
> > > in your current snort.conf:
> > >
> > > var PREPROC_RULE_PATH ../preproc_rules
> > >
> > >
> > > marcos
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!