Pas d'alerts de snort

Saif_24 · 03/03/2010, 14h33

Salut,
j'installe snort + mysql + acid base,et j'ajooute quleques rules dans /etc/snort/rules/local.rules pour tester les alerts:

alert icmp any any -> 192.16.1.0/24 any (flags:A;ack:0;msg:"NMap icmp ping")\

alert icmp !192.168.1.0/24 any -> 192.16.1.0/24 any (content:"abcdefgh";;msg:"ping de windows")\

alert icmp !192.168.1.0/24 any <> 192.16.1.0/24 any (flags: S; msg: “HOULA SYN Packet!”\

puis je restart snort et je liée 2 pc par un câble croisé ( 192.168.1.20 pour windows et pour le victime l'ip est 192.168.1.21 pour Linux où snort est installé ) , mon HOME_NET 192.168.1.0/24 and the EXTEREL_NET !$HOME_NET. The problem is when i run

snort -dvi eth0 -c /etc/snort/snort.conf

je vois les paquets transsmises et réçues (les réçues contien "abcdefgh" ), quand je stop snort CTRL+C je ne vois aucune alert dans le résulta!!!
Run time prior to being shutdown was 218.523030 seconds
================================================== =============================
Packet Wire Totals:
Received: 1346
Analyzed: 1342 (99.703%)
Dropped: 0 (0.000%)
Outstanding: 4 (0.297%)
================================================== =============================
Breakdown by protocol (includes rebuilt packets):
ETH: 1342 (100.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 1213 (90.387%)
IP4disc: 394 (29.359%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 35 (2.608%)
ICMP: 390 (29.061%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 394 (29.359%)
FRAG 6: 0 (0.000%)
ARP: 129 (9.613%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 394 (29.359%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)
Total: 1342
================================================== =============================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
================================================== =============================
Frag3 statistics:
Total Fragments: 394
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 394
FragTrackers Dumped: 394
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 394
Frag Nodes Deleted: 394
================================================== =============================
Stream5 statistics:
Total sessions: 0
TCP sessions: 0
UDP sessions: 0
ICMP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
TCP StreamTrackers Created: 0
TCP StreamTrackers Deleted: 0
TCP Timeouts: 0
TCP Overlaps: 0
TCP Segments Queued: 0
TCP Segments Released: 0
TCP Rebuilt Packets: 0
TCP Segments Used: 0
TCP Discards: 0
UDP Sessions Created: 0
UDP Sessions Deleted: 0
UDP Timeouts: 0
UDP Discards: 0
Events: 0
TCP Port Filter
Dropped: 0
Inspected: 0
Tracked: 0
UDP Port Filter
Dropped: 0
Inspected: 0
Tracked: 0
================================================== =============================
================================================== =============================
dcerpc2 Preprocessor Statistics
Total sessions: 0
================================================== =============================
================================================== =============================
database: Closing connection to database "snort"
database: Closing connection to database "snort"
Snort exiting

Svp si quelqu'un peux m'aider où est le probléme exactement!!! merci.

03/03/2010, 14h33	#1
Saif_24 Candidat au titre de Membre du Club Info Saifeddine Inscription : février 2010 Messages : 59 Détails du profil Informations personnelles : Nom : Info Saifeddine Âge : 25 Localisation : Tunisie Informations forums : Inscription : février 2010 Messages : 59 Points : 11 Points : 11	Pas d'alerts de snort Salut, j'installe snort + mysql + acid base,et j'ajooute quleques rules dans /etc/snort/rules/local.rules pour tester les alerts: alert icmp any any -> 192.16.1.0/24 any (flags:A;ack:0;msg:"NMap icmp ping")\ alert icmp !192.168.1.0/24 any -> 192.16.1.0/24 any (content:"abcdefgh";;msg:"ping de windows")\ alert icmp !192.168.1.0/24 any <> 192.16.1.0/24 any (flags: S; msg: “HOULA SYN Packet!”\ puis je restart snort et je liée 2 pc par un câble croisé ( 192.168.1.20 pour windows et pour le victime l'ip est 192.168.1.21 pour Linux où snort est installé ) , mon HOME_NET 192.168.1.0/24 and the EXTEREL_NET !$HOME_NET. The problem is when i run snort -dvi eth0 -c /etc/snort/snort.conf je vois les paquets transsmises et réçues (les réçues contien "abcdefgh" ), quand je stop snort CTRL+C je ne vois aucune alert dans le résulta!!! Run time prior to being shutdown was 218.523030 seconds ================================================== ============================= Packet Wire Totals: Received: 1346 Analyzed: 1342 (99.703%) Dropped: 0 (0.000%) Outstanding: 4 (0.297%) ================================================== ============================= Breakdown by protocol (includes rebuilt packets): ETH: 1342 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 1213 (90.387%) IP4disc: 394 (29.359%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 0 (0.000%) UDP: 35 (2.608%) ICMP: 390 (29.061%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 394 (29.359%) FRAG 6: 0 (0.000%) ARP: 129 (9.613%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 394 (29.359%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 1342 ================================================== ============================= Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 ================================================== ============================= Frag3 statistics: Total Fragments: 394 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 FragTrackers Added: 394 FragTrackers Dumped: 394 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 394 Frag Nodes Deleted: 394 ================================================== ============================= Stream5 statistics: Total sessions: 0 TCP sessions: 0 UDP sessions: 0 ICMP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 TCP StreamTrackers Created: 0 TCP StreamTrackers Deleted: 0 TCP Timeouts: 0 TCP Overlaps: 0 TCP Segments Queued: 0 TCP Segments Released: 0 TCP Rebuilt Packets: 0 TCP Segments Used: 0 TCP Discards: 0 UDP Sessions Created: 0 UDP Sessions Deleted: 0 UDP Timeouts: 0 UDP Discards: 0 Events: 0 TCP Port Filter Dropped: 0 Inspected: 0 Tracked: 0 UDP Port Filter Dropped: 0 Inspected: 0 Tracked: 0 ================================================== ============================= ================================================== ============================= dcerpc2 Preprocessor Statistics Total sessions: 0 ================================================== ============================= ================================================== ============================= database: Closing connection to database "snort" database: Closing connection to database "snort" Snort exiting Svp si quelqu'un peux m'aider où est le probléme exactement!!! merci.
	00

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email