0

Hi I have a problem with Snort configuration.

I set up a virtual network with vagrant hosts, a host of them runs Snort (with Barnyard2), the Snort host is in promiscuous mode so I can read all packets in 192.168.10.*/24. Everything works well with PING, I have a rule in /etc/snort/rules/local.rules:

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

this rule is mapped correctly and I can see every PING between any host, barnyard2 reads the output and stores it in DB.

The problem is when I try to add another rule, I tried logging SSH and NMAP for example:

alert tcp any any -> any any (sid:1000005; gid:1; flow:stateless; ack:0; flags:S; ttl:>220; priority:1; msg:"nmap scan"; classtype:network-scan; rev:1;)
alert tcp any any -> $HOME_NET 22 (msg:"Potential SSH Brute Force Attack"; flow:to_server; flags:S; threshold:type threshold, track by_src, count 3, seconds 60; classtype:attempted-dos; sid:2001219; rev:4; resp:rst_all; )

I can't see any alert or logging with these two rules.

I also used PulledPork to get updated rules and I tried IDSwakeup to check if them worked but obviously nothing happened.

The config file /etc/snort/snort.conf seems to be configured correctly (without comments):

vagrant@vagrant-ubuntu-trusty-64:~$ cat /etc/snort/snort.conf | grep rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
dynamicdetection directory /usr/local/lib/snort_dynamicrules
   whitelist $WHITE_LIST_PATH/white_list.rules, \
   blacklist $BLACK_LIST_PATH/black_list.rules 
include $RULE_PATH/local.rules
include $RULE_PATH/snort.rules

And the rule files seem to be in the correct place:

vagrant@vagrant-ubuntu-trusty-64:~$ tree /etc/snort/rules/
/etc/snort/rules/
├── black_list.rules
├── iplists
│   └── default.blacklist
├── iplistsIPRVersion.dat
├── local.rules
├── snort.rules
├── test.rules
└── white_list.rules

I also tried to empty snort.rules and keep only local.rules to understand if it doesn't work due to an hardware limit but nothing changed.

I don't know if it could be due to: - wrong configuration - wrong rules - wrong attack - hardware requirements

Can you help me? :)

Daniele
  • 47
  • 1
  • 9

1 Answers1

0

The first thing to do, would be to check, whether anything else but Ping is trafficking through the interface and port, snort listens to.

For this, I suggest you install the tool ngrep and for example check for HTTP requests. To do this, call it by 'ngrep -ed &ltinterface&gt' "^GET.*", or in case you do not expect HTTP traffic look for something else significant.

PaRoK
  • 24
  • 3