[Snort-users] Unable to receive alerts

From: Sadanapalli, Pradeep Kumar (MED, TCS) <Pradeep.Sadanapalli(at)med.ge.com>
Date: Fri Feb 28 2003 - 14:43:14 EST

Hi Friends,
I am a snort newbie. I am running redhat linux 8.0 on my dell latitude C610.
I want to run Snort as an IDS and would like to be alerted about the network traffic on my network interface.

I am using a Lucent Wireless Network Card.

I installed snort-1.9.0 as below.

cp snort-1.9.0.tar.gz /home/pradeep/
cp libcap-0.7.1.tar.gz /home/pradeep

cd /home/pradeep

tar -xzf libpcap-0.7.1.tar.gz
cd libpcap-0.7.1
./configure
make
make install

cd ..

tar -xzf snort-1.9.0.tar.gz
cd snort-1.9.0
./configure
make
make install

mkdir /etc/snort
cp etc/snort.conf /etc/snort/snort.conf
mkdir /var/log/snort
mkdir /IDS

cp -ax rules /IDS/rules

I am pasting below my snort.conf and snortd script for reference.

/etc/rc.d/init.d/snortd start

When I execute "dmesg |tail -1"
it says "device eth1 entered promiscous mode"

I am losing network connection i.e I am even unable to ping to any other computer in the network.
So I am not receiving any alerts . /var/log/snort/alert is always remaining empty.

Please someone help what is going wrong? Thanks in advance for all your help..

Pradeep

****************SNORTD******************

#!/bin/sh
\
# that currently detects more than 1100 host and network \

# Source function library.
. /etc/rc.d/init.d/functions

# Specify your network interface here
INTERFACE=eth1
LOGDIR=/var/log/snort/
CONFIGFILE=/etc/snort/snort.conf
SNORTBINARY=/usr/local/bin/snort

RETVAL=0 start() {

	echo -n $"Starting snort: "
	daemon $SNORTBINARY -A fast -b -l /var/log/snort -d -D -i
$INTERFACE -c $CONFIGFILE
	RETVAL=$?
	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/snortd
	echo
        echo -n $"(log to " $LOGDIR " with configfile " $CONFIGFILE ")"
        echo 

}

stop() {

	echo -n $"Stopping snort: "
	killproc snort
	RETVAL=$?
	rm -f /var/lock/subsys/snortd
	echo

}

dostatus() {

	status snort
	RETVAL=$?

}

restart() {

	stop
	start
	RETVAL=$?

}

condrestart() {

        [ -e /var/lock/subsys/snortd ] && restart || : }

# See how we were called.
case "$1" in
  start)

	start
	;;
  stop)
	stop
	;;
  status)
	dostatus
	;;
  restart|reload)
	restart
	;;
  condrestart)
	condrestart
	;;
  *)
	echo "Usage: snortd {start|stop|status|restart|condrestart}"
	exit 1

esac

exit $RETVAL

****************SNORTD******************



****************SNORTD.CONF******************

#--------------------------------------------------

var HOME_NET x.0.0.0/24
var EXTERNAL_NET any
#var EXTERNAL_NET $eth0_ADDRESS

var SMTP $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS x.x.x.x, x.x.x.x
var TELNET_SERVERS $HOME_NET
var AIM_SERVERS $HOME_NET

var RULE_PATH /IDS/rules

var SHELLCODE_PORTS !80
var HTTP_PORTS 80
var ORACLE_PORTS 1521

###################################################

# frag2: IP defragmentation support
detect
# people launching fragmentation attacks (usually DoS) against hosts.
No
# arguments loads the default configuration of the preprocessor, which
is a
# 60 second timeout and a 4MB fragment buffer.

# The following (comma delimited) options are available for frag2

# fragment will be kept around waiting for
completion,
# if this time expires the fragment will be
flushed
# memcap [bytes] - limit frag2 memory usage to [number] bytes

preprocessor frag2

# stream4: stateful inspection/stream reassembly for Snort

# stateful inspection directive
alerts
# when it sees them when this option is set
very
# noisy because there are a lot of crappy ip
stack
# implementations out there
to
# get them in a flat format for machine reading,
add
# "binary" to get them in a unified binary
output
# format
seconds,
# default is 30 seconds
option will
# cause all packets that are stored in the
stream4
# packet buffers to be flushed to disk. This
only
# works when logging in pcap mode!

preprocessor stream4: detect_scans, disable_evasion_alerts

# tcp stream reassembly directive
only
# serveronly - reassemble traffic for the server side of a connection
only
# both - reassemble both sides of a session
stream4
# ports [list] - use the space separated list of ports in [list],
"all"
# will turn on reassembly for all ports, "default" will
turn
# on reassembly for ports 21, 23, 25, 53, 80, 143, 110,
111
# and 513

preprocessor stream4_reassemble

# http_decode: normalize HTTP requests

preprocessor http_decode: 80

# rpc_decode: normalize RPC traffic

preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector
# -------------------------

preprocessor bo

# telnet_decode: Telnet negotiation string normalizer

preprocessor telnet_decode

# portscan: detect a variety of portscans

preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan: $EXTERNAL_NET 4 3 portscan.log

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from

# preprocessor portscan-ignorehosts: 0.0.0.0 $DNS_SERVERS

# Spade: the Statistical Packet Anomaly Detection Engine
#-------------------------------------------------------
# READ the README.Spade file before using this plugin!
#
# preprocessor spade: <anom-report-thresh> <state-file>
# <log-file> <prob-mode> <checkpoint-freq> [-corrscore]
#
# set this to a directory Spade can read and write to
# store its files
#
# var SPADEDIR .
#
# preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
#
# put a list of the networks you are interested in Spade observing
packets
# going to here; separate these by spaces
#
# preprocessor spade-homenet: 0.0.0.0/0
#
# this causes Spade to adjust the reporting threshold automatically
# the first argument is the target rate of alerts for normal
circumstances
# (0.01 = 1% or you can give it an hourly rate) after the first hour (or
# however long the period is set to in the second argument), the
reporting
# threshold given above is ignored you can comment this out to have the
# threshold be static, or try one of the other adapt methods below
# preprocessor spade-adapt3: 0.01 60 168
#
# other possible Spade config lines:
# adapt method #1
#preprocessor spade-adapt: 20 2 0.5
# adapt method #2
#preprocessor spade-adapt2: 0.01 15 4 24 7
# offline threshold learning
#preprocessor spade-threshlearn: 200 24
# periodically report on the anom scores and count of packets seen
#preprocessor spade-survey: $SPADEDIR/survey.txt 60
# print out known stats about packet feature
#preprocessor spade-stats: entropy uncondprob condprob

# arpspoof

# unicast ARP requests, and specific ARP mapping monitoring. To make
use
# of this preprocessor you must specify the IP and hardware address of
hosts on # the same layer 2 segment as you. Specify one host IP MAC combo per line.
# Also takes a "-unicast" option to turn on unicast ARP request
detection.

#preprocessor arpspoof

####################################################################

# output alert_syslog: LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format

# database: log to a variety of databases
host=localhost
# output database: alert, postgresql, user=snort dbname=snort

# xml: xml logging

# unified: Snort unified binary format alerting and logging

# trap_snmp: SNMP alerting for Snort
this
# plug-in.
#
#
# The SnmpTrapGenerator outputplugin requires several parameters
# The parameters depend on the Snmpversion that is used (specified)
# For the SNMPv2c case the paremeters will be as follows
# alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p <portNumber>
# <hostName> <community>
#
# For SNMPv2c traps
#
#output trap_snmp: alert, 7, trap -v 2c -p 162 myTrapListener
myCommunity
#
# For SNMPv2c informs
#
#output trap_snmp: alert, 7, inform -v 2c -p 162 myTrapListener
myCommunity
#
# For SNMPv3 traps with
-a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
#For SNMPv3 informs with authentication and encryption
-a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener

# You can optionally define new rule types and associate one or
Server";)
#
# This example will create a rule type that will log to syslog
LEET"; \
# flags:A+;)

#
# Include classification & priority settings

include classification.config

####################################################################

include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules

# include $RULE_PATH/shellcode.rules

include local.rules

****************SNORTD.CONF******************


-------------------------------------------------------

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Fri Feb 28 14:49:27 2003