Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] nmap rules

from [Lawrence Strydom] Network Security [Permanent Link]
Subject: [Snort-sigs] nmap rules
Date: Thu, 5 Jul 2007 16:07:00 +0400 
Hi List,

I a ma snort newbie. I installed snort_inline 2.1.1 on a OpenSuSE 10.2 box
and am using oinkmaster 1.2  to update rules automagically. The rules files
in my snort_inline.conf  being used are:

include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/nntp.rules

and this one which I am using for testing and to try and get to know the
rule syntax:

include $RULE_PATH/local.rules

the only entry in local.rules is:
drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";)

I used this to verify that snort is actually doing something.

So when I try to connect to the web server on the snort box,the connection
times out and I see the following output in the log:

[**] [1:0:0] Port 80 connection initiated [**]
[Classification: Attempted User Privilege Gain] [Priority: 1]
07/05-15:47:41.917831 192.168.2.18:59375 -> 192.168.2.105:80
TCP TTL:59 TOS:0x0 ID:3429 IpLen:20 DgmLen:44
******S* Seq: 0x199A99FC  Ack: 0x0  Win: 0x1000  TcpLen: 24
TCP Options (1) => MSS: 1460

SO I know snort is working but when I run an nmap scan against the snort
box, there is nothing in the log and the scan succeeds. I have tried both
nmap -sT and nmap -sS. Both go undetected.

SO now the question is, where can I find a good rule set that will detect
these kind of scans and drop all packets from the attacking host?

Thanks

Lawrence 
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] CN=Marty Bostick/OU=IS/O=PLC is out of the office., Joel Esler
Next by Date:  [Snort-sigs] unsubscribe, Marty . Bostick
Previous by Thread:  [Snort-sigs] CN=Marty Bostick/OU=IS/O=PLC is out of the office., Marty . Bostick
Next by Thread:  Re: [Snort-sigs] nmap rules, Thierry CHICH
Indexes:  [Date] [Thread] [Top] [All Lists]