Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] [Snort 2.2.0] Rules won't trigger

from [Edin Dizdarevic] Network Security [Permanent Link]
Subject: [Snort-users] [Snort 2.2.0] Rules won't trigger
Date: Thu, 20 Jan 2005 11:40:57 +0100 
Hithere!

I have a problem I cannot find the error in my config. However, rules won't trigger for some reason. Would somebody please be so kind to take a look and open my eyes. Thx in advance.

Snort is 2.2.0 started for the test like this:

snort -c snort.conf_eth1 -i eth1 -A console -N

I have these rules:

alert tcp 172.16.0.1 any -> 172.16.0.254 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"GOT IT!";)

Then I try to login as MySQWL-root from another machine:

$ mysql -h 172.16.0.254 -u root -p

->

01/20/05-11:33:39.774072 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306
01/20/05-11:33:39.774190 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306
01/20/05-11:33:39.774707 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306
01/20/05-11:33:39.774980 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306
01/20/05-11:33:39.775335 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306

Can anybody please explain this to me?

Thx & regards,
Edin

The config file:

var HOME_NET [172.16.0.254/32,10.0.0.0/24]

var EXTERNAL_NET !$HOME_NET

var HTTP_SERVERS [172.16.0.254/32,10.0.0.0/24]
var SQL_SERVERS [172.16.0.254/32]
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var RULE_PATH ./snortrules
preprocessor frag2: timeout 60, memcap 8388608
preprocessor stream4: disable_evasion_alerts, timeout 120, memcap 33554432
preprocessor stream4_reassemble: both, ports 22 25 53 80 3306
preprocessor flow: stats_interval 0 hash 2
output log_unified: filename unified.log, limit 512
output alert_unified: filename unified.alert, limit 512
config set_gid: snort
config interface: eth1
config alert_with_interface_name
config disable_decode_alerts
config logdir: /var/log/snort
config umask: 027
config set_uid: snort
config show_year
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config detection: search-method lowmem
config threshold: memcap 8388608
config checksum_mode: none
include classification.config
include reference.config
include $RULE_PATH/local.rules

local.rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"GOT IT!";)
alert tcp 172.16.0.1 any -> 172.16.0.254 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)

Full log:

[root@victim snort]# snort -c snort.conf_eth1 -i eth1 -A console -N
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth1

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort.conf_eth1

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
[*] Frag2 config:
    Fragment timeout: 60 seconds
    Fragment memory cap: 8388608 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    State Protection: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 120 seconds
    Session memory cap: 33554432 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 22 25 53 80 3306
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
command line overrides rules file logging plugin!
command line overrides rules file alert plugin!

Initializing Network Interface eth1
Found logdir config directive (/var/log/snort)
Detection:
   Search-Method = Low-Mem Trie
2 Snort rules read...
2 Option Chains linked into 2 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++


+-----------------------[thresholding-config]----------------------------------
| memory-cap : 8388608 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.2.0 (Build 30)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
01/20/05-11:40:24.597428 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306
01/20/05-11:40:24.597536 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306
01/20/05-11:40:24.598304 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306
01/20/05-11:40:24.598622 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306
01/20/05-11:40:24.599022 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306


--
Edin Dizdarevic


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Fw: [Snort-users] Fw: Error in Postgres dbase, reynald
Next by Date:  Re: [Snort-users] [Snort 2.2.0] Rules won't trigger, Alex Kirk
Previous by Thread:  [Snort-users] Unknown keyword '' in rule! (BUG?), Alejandro Flores
Next by Thread:  Re: [Snort-users] [Snort 2.2.0] Rules won't trigger, Alex Kirk
Indexes:  [Date] [Thread] [Top] [All Lists]