Snort mailing list archives
(no subject)
From: Priya Agarwal <priyaiitmandi () gmail com>
Date: Fri, 31 Oct 2014 13:00:31 +0530
I am following the 'Snort 2.9.6.2 on Ubuntu 12 LTS and 14 LTS' guide to run
snort in NIDS mode on my ubuntu 12.04.
To test Snort, I created a simple rule that will cause Snort to generate an
alert whenever Snort sees an ICMP \Echo request" or \Echo reply" messages.
Wrote the following line into the empty /etc/snort/rules/local.conf:
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;
rev:001;)
Now I tested the configuration file again but it has loaded the rule from
local.conf. Typed the following command:
sudo snort -T -c /etc/snort/snort.conf
I should have got the following output:
+-------------------[Rule Port Counts]-----------------------
----------------
| tcp udp icmp ip
| src 0 0 0 0
| dst 0 0 0 0
| any 0 0 1 0
| nc 0 0 1 0
| s+d 0 0 0 0
+----------------------------------------------------------------------------
But instead I got the following output on terminal.Both fields are still 0.
--------------------------------------------------------------------------------
Running in Test mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80:81 311 383 591 593 901 1220 1414
1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001
7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123
8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999
11371 34443:34444 41080 50002 55555 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined : [ 80:81 110 143 311 383 591 593
901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988
7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090
8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091
9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]
Detection:
Search-Method = AC-Full-Q
Split Any/Any group = enabled
Search-Method-Optimizations = enabled
Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_
dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory
/usr/local/lib/snort_dynamicrules.
Finished Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Finished Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inline.
WARNING: tcp normalizations disabled because not inline.
WARNING: icmp4 normalizations disabled because not inline.
WARNING: ip6 normalizations disabled because not inline.
WARNING: icmp6 normalizations disabled because not inline.
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Bound Address: default
Target-based policy: WINDOWS
Fragment timeout: 180 seconds
Fragment min_ttl: 1
Fragment Anomalies: Alert
Overlap Limit: 10
Min fragment Length: 100
Max Expected Streams: 768
Stream global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 262144
TCP cache pruning timeout: 30 seconds
TCP cache nominal timeout: 3600 seconds
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: ACTIVE
Max UDP sessions: 131072
UDP cache pruning timeout: 30 seconds
UDP cache nominal timeout: 180 seconds
Track ICMP sessions: INACTIVE
Track IP sessions: INACTIVE
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- (no subject) Priya Agarwal (Oct 31)
- Re: (no subject) Priya Agarwal (Oct 31)
- Re: (no subject) Priya Agarwal (Oct 31)
- <Possible follow-ups>
- (no subject) Sameera Osman (Dec 28)
- Re: (no subject) Y M (Dec 29)
- (no subject) Sameera Osman (Dec 29)
- Re: (no subject) Priya Agarwal (Oct 31)