Not receiving alerts from snort on ftester injected packets

Hi,

im trying to configure snort in an honeypot environment, but seems i cant get any kind of alerting when i try to inject packets with ftester (http://dev.inversepath.com/ftester/README).
i follow the exact README schedule on the ids testing properties with snort, but no alerts in the snort log nor in the syslog.
fyi, im running the default snort.conf with just HOME_NET and EXTERNAL_NET configured (right for the honeypot) and the row configured to add syslog for outputting.
as result, nothing, an empty alert file… like snort is letting pass everything.

what im doing wrong in here?

I hate to state the obvious, but do you have any rules enabled/uncommented?

For example:

include $RULE_PATH/porn.rules
vs
#include $RULE_PATH/porn.rules

Quote:

Originally Posted by Admiral Beotch I hate to state the obvious, but do you have any rules enabled/uncommented? For example: include $RULE_PATH/porn.rules vs #include $RULE_PATH/porn.rules

dont worry to state the obvious

these are the rules enabled in the snort.conf :


include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/community-exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/community-dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

# Specific web server rules:
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/community-sql-injection.rules
include $RULE_PATH/community-web-client.rules
include $RULE_PATH/community-web-dos.rules
include $RULE_PATH/community-web-iis.rules
include $RULE_PATH/community-web-misc.rules
include $RULE_PATH/community-web-php.rules

# Rules for other services:
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/community-oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/community-ftp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/community-smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/community-imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/community-nntp.rules
include $RULE_PATH/community-sip.rules
include $RULE_PATH/other-ids.rules

# Attack-in-progress rules:
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/community-bot.rules
include $RULE_PATH/community-virus.rules




do i need to enable something else?
im doing mostly TCP attacks atm, but anyway trying to inject directly rules attacks as the ftester README teaches.

edit : i have attached the conf file, which is actually the default one, with just few tunings

ok, found the problem.
i was not sure about the honeypot configuration, so i tried the simple pc2pc injecting, with no honeypot installed.
worked good (now log stores in auth.log).

now i moved snort in the honeypot context, with few issues.
i edited the snort.conf in order to gain protection on the virtual honeypc and the honeyhost, of course (HOME_NET var).
if i try to inject webpackets on TCP port 80 to a simulated classic Windows pc (configured as a virtual honey machine), to get some alert in auth.log i MUST close the TCP port 80 on the virtual honey machine.
if i try to open it, no alerts at all.

since im trying to simulate an attack via UML in here, everything must be in place (my purpose is attack simulations under UML+honeynet+IDS).
an attacker would send malicious TCP 80 packets on this Windows pc ONLY if the TCP port 80 is OPEN.

so, in order to simulate all kinds of hosting services opened i need to simulate those services ports opened.
if i try to do that, snort alerts nothing...

whats wrong?