Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Newbies » snort -r and alerts generation

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

snort -r and alerts generation


Posted by Vasily_Tomilin on March 21, 2005 03:26:51

Hi All,

I have the following question.
I am trying to check if Snort (WIN32) will generate alerts on some obvious attack traffic samples. I have taken some giac traffic samples and tried the following command line:

snort -r -A full

No alerts generated.
That surprises me much since the first line of the log dump contains the pattern

3 & E @ n?. P1~*bP GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir r HTTP/1.0

and I have checked to have web-iis.rules with

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7;)

activated.

The snort.conf is almost default one (except all rules are uncommented).

What have I done wrong?
Any advice?

Thanks in advance,
Vasily

Posted by Shirkdog on March 21, 2005 05:06:36

What are you variables for External and Homenet in your snort.conf?

Shirkdog

Posted by Vasily_Tomilin on March 21, 2005 05:36:38

'any' and 'any'

Posted by Vasily_Tomilin on March 21, 2005 05:39:57

'any' and 'any'

Posted by tomthebomb007 on March 21, 2005 13:42:23

I was not getting any alerts either until I realized that I had to start snort
with a -c /etc/snort/snort.conf to tell snort to go ahead and use the conf file
that I had been laboring over and thought it used by defualt, otherwise snort
is just sniffing (you are looking for IDS alerts). I also had to specify the
interface with -i eth1 in order to make it use my stealth cable as well as span
the port on the switch to include the port/s I wanted to listen to. I'm not
useing windows so mileage may vary. My startup command looks like this:

snort -d -l /var/log/snort -i eth1 -h 10.0.0.0/32 -c /etc/snort/snort.conf

I had been messing with the -A full option as well, but I gather that that is
for sniffing not IDS duties. Hope that helps

site feedback | Terms of Use | Privacy Policy | forum archives 2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.