Le jeudi 5 juillet 2007 14:07, Lawrence Strydom a écrit :
the only entry in local.rules is:
drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";)
I used this to verify that snort is actually doing something.
So when I try to connect to the web server on the snort box,the connection
times out and I see the following output in the log:
[**] [1:0:0] Port 80 connection initiated [**]
[Classification: Attempted User Privilege Gain] [Priority: 1]
07/05-15:47:41.917831 192.168.2.18:59375 -> 192.168.2.105:80
TCP TTL:59 TOS:0x0 ID:3429 IpLen:20 DgmLen:44
******S* Seq: 0x199A99FC Ack: 0x0 Win: 0x1000 TcpLen: 24
TCP Options (1) => MSS: 1460
Hi
I don't know exactly why. I assume that the functions used to follow the tcp
stream are not adapted to this scan. Perhaps it is necessary to go further
the SYN-SYN/ACK.
My question is : if you don't want any connection on the port 80, why don't
you just put an iptables rule on your box ? It seems a more efficient way to
obtain the same result.
SO I know snort is working but when I run an nmap scan against the snort
box, there is nothing in the log and the scan succeeds. I have tried both
nmap -sT and nmap -sS. Both go undetected.
SO now the question is, where can I find a good rule set that will detect
these kind of scans and drop all packets from the attacking host?
Thanks
Lawrence
--
Thierry CHICH
Rectorat de Clermont-Ferrand
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
