Snort
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Snort doesn't detect any kind of TCP traffic

from [Carlo Manuali] [Permanent Link][Original]
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Snort doesn't detect any kind of TCP traffic
From: Carlo Manuali <carlo@unipg.it>
Date: Thu, 18 Jan 2007 16:37:02 +0100
Delivered-to: sp-com-lists@consult.net
Delivered-to: snort-list@securepoint.com
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=snort-users>
List-help: <mailto:snort-users-request@lists.sourceforge.net?subject=help>
List-id: "Snort users talk about... Snort!" <snort-users.lists.sourceforge.net>
List-post: <mailto:snort-users@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>, <mailto:snort-users-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>, <mailto:snort-users-request@lists.sourceforge.net?subject=unsubscribe>
Sender: snort-users-bounces@lists.sourceforge.net

Hi to all.
I'd like to receive your help with this error that make me crazy.
I've installed snort on a dual homed host, with ip addresses on the form:
eth0 - 192.168.199.5 on 192.168.199.0/24 net
eth1 - 192.168.198.143 on 192.168.198.0/24 net
I use eth0 for admin purposes and with eth1 I monitor all 192.168.198.0/24 traffic
(I'm using a monitoring port of a 3com switch).
All seems to be ok, with tcpdump or snort (in sniffer mode) I see that traffic on the console without any problem.
The database logging seems to works fine and I don't receive any relevant error during snort startup.
Also I've defined:
var eth1_ADDRESS [192.168.198.143/32]
var HOME_NET $eth1_ADDRESS
var EXTERNAL_NET any

--> The problem is that I only receive that kinds of alerts (plus sometimes some UDP message) !!
(I see them by BASE software):

< Signature >   < Classification >   < Total # >   Sensor #   < Source Address >   < Dest. Address >   < First >   < Last >
[ local] [ snort] ICMP Destination Unreachable Communication Administratively Prohibited misc-activity 15(0%) 1 2 6 2006-12-15 11:33:52 2007-01-15 09:01:24
[ local] [ snort] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited misc-activity 8084(19%) 1 2 33 2006-12-14 13:24:03 2007-01-11 10:13:37
[ local] [ snort] ICMP Echo Reply misc-activity 2(0%) 1 1 1 2007-01-11 10:00:10 2007-01-11 10:00:11
[ local] [ snort] ICMP PING misc-activity 16(0%) 1 4 1 2007-01-08 10:36:40 2007-01-08 11:14:02
[ snort] (portscan) ICMP Filtered Sweep unclassified 1(0%) 1 1 1 2006-12-15 13:33:02 2006-12-15 13:33:02
[ local] [ snort] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited misc-activity 3148(8%) 1 2 16 2006-12-11 14:48:23 2006-12-14 16:56:14
[ local] [ snort] ICMP PING misc-activity 48(0%) 1 4 5 2006-12-11 22:17:22 2006-12-14 12:02:17
[arachNIDS ] [ local] [ snort] ICMP L3retriever Ping attempted-recon 41(0%) 1 2 2 2006-12-11 22:17:22 2006-12-14 12:02:17
[ local] [ snort] ICMP Destination Unreachable Host Unreachable misc-activity 30046(72%) 1 2 4 2006-12-11 14:39:16 2006-12-14 10:52:48

I have many rules defined and I writed my own rules also,
but I cant' see any kind of alerts about TCP traffic, and not any rules defined matches.
As example (my own rule for ssh):

----------------------------------------------------------------------------------------
# cat /etc/snort/rules/unipg.rules
alert tcp any any -> any 22 (flags:S; msg:"ssh connection";)
alert tcp any any -> any 22 \
        (\
                msg: "BETA Vulnerable SSH-2 Connection" ;\
                flags: PA ;\
                content: "SSH-2" ;\
         )
----------------------------------------------------------------------------------------

Furthermore, not any built-in rules matches!

Where I'm wrong?
Any ideas?
thank you very much in advance.
Regards,
--Carlo

_________________________________________________________________________

  Dott. Carlo Manuali - carlo@unipg.it
  Responsabile Sicurezza Informatica

  Ripartizione Servizi Informatici e Statistici - University of Perugia               
  Piazza dell'Universita' 1, 06123 - Perugia (PG), Italy
  Web:  http://www.unipg.it/carlo
  Tel:  +390755852370
  Fax:  +390755855180
_________________________________________________________________________
 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] Snort doesn't detect any kind of TCP traffic, Carlo Manuali <=
Previous by Date:  [Snort-users] Last chance to register for Raven Alder's Chicago SUG presentation., Wagner, Robert
Next by Date:  [Snort-users] EUSecWest 2007 Papers, Dragos Ruiu
Previous by Thread:  [Snort-users] Last chance to register for Raven Alder's Chicago SUG presentation., Wagner, Robert
Next by Thread:  [Snort-users] EUSecWest 2007 Papers, Dragos Ruiu
Indexes:  [Date] [Thread] [Top] [All Lists]