LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-28-2009, 05:55 PM   #1
AndreaSpooky
LQ Newbie
 
Registered: Jun 2009
Posts: 3

Rep: Reputation: 0
Not receiving alerts from snort on ftester injected packets


Hi,

im trying to configure snort in an honeypot environment, but seems i cant get any kind of alerting when i try to inject packets with ftester (http://dev.inversepath.com/ftester/README).
i follow the exact README schedule on the ids testing properties with snort, but no alerts in the snort log nor in the syslog.
fyi, im running the default snort.conf with just HOME_NET and EXTERNAL_NET configured (right for the honeypot) and the row configured to add syslog for outputting.
as result, nothing, an empty alert file… like snort is letting pass everything.

what im doing wrong in here?
 
Old 06-29-2009, 03:15 AM   #2
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
I hate to state the obvious, but do you have any rules enabled/uncommented?

For example:

include $RULE_PATH/porn.rules
vs
#include $RULE_PATH/porn.rules
 
Old 06-29-2009, 11:04 AM   #3
AndreaSpooky
LQ Newbie
 
Registered: Jun 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Admiral Beotch View Post
I hate to state the obvious, but do you have any rules enabled/uncommented?

For example:

include $RULE_PATH/porn.rules
vs
#include $RULE_PATH/porn.rules

dont worry to state the obvious

these are the rules enabled in the snort.conf :


include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/community-exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/community-dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

# Specific web server rules:
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/community-sql-injection.rules
include $RULE_PATH/community-web-client.rules
include $RULE_PATH/community-web-dos.rules
include $RULE_PATH/community-web-iis.rules
include $RULE_PATH/community-web-misc.rules
include $RULE_PATH/community-web-php.rules

# Rules for other services:
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/community-oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/community-ftp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/community-smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/community-imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/community-nntp.rules
include $RULE_PATH/community-sip.rules
include $RULE_PATH/other-ids.rules

# Attack-in-progress rules:
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/community-bot.rules
include $RULE_PATH/community-virus.rules




do i need to enable something else?
im doing mostly TCP attacks atm, but anyway trying to inject directly rules attacks as the ftester README teaches.

edit : i have attached the conf file, which is actually the default one, with just few tunings
Attached Files
File Type: txt snort.conf.txt (39.6 KB, 1 views)

Last edited by AndreaSpooky; 06-29-2009 at 11:07 AM.
 
Old 06-29-2009, 03:45 PM   #4
AndreaSpooky
LQ Newbie
 
Registered: Jun 2009
Posts: 3

Original Poster
Rep: Reputation: 0
ok, found the problem.
i was not sure about the honeypot configuration, so i tried the simple pc2pc injecting, with no honeypot installed.
worked good (now log stores in auth.log).

now i moved snort in the honeypot context, with few issues.
i edited the snort.conf in order to gain protection on the virtual honeypc and the honeyhost, of course (HOME_NET var).
if i try to inject webpackets on TCP port 80 to a simulated classic Windows pc (configured as a virtual honey machine), to get some alert in auth.log i MUST close the TCP port 80 on the virtual honey machine.
if i try to open it, no alerts at all.

since im trying to simulate an attack via UML in here, everything must be in place (my purpose is attack simulations under UML+honeynet+IDS).
an attacker would send malicious TCP 80 packets on this Windows pc ONLY if the TCP port 80 is OPEN.

so, in order to simulate all kinds of hosting services opened i need to simulate those services ports opened.
if i try to do that, snort alerts nothing...

whats wrong?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Snort - no portscan and tcp alerts in snort av.dubey Linux - Software 6 07-11-2008 09:56 PM
snort alerts lord-fu Linux - Security 1 11-25-2005 03:28 PM
Snort Alerts ?? zahra79 Linux - Networking 5 06-22-2005 05:11 AM
Snort does not log alerts soren625 Linux - Security 0 02-10-2005 06:35 AM
Snort Alerts knight_ridda Linux - Security 13 06-21-2003 04:32 PM


All times are GMT -5. The time now is 04:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration