Salut,
j'installe snort + mysql + acid base,et j'ajooute quleques rules dans /etc/snort/rules/local.rules pour tester les alerts:
alert icmp any any -> 192.16.1.0/24 any (flags:A;ack:0;msg:"NMap icmp ping")\
alert icmp !192.168.1.0/24 any -> 192.16.1.0/24 any (content:"abcdefgh";;msg:"ping de windows")\
alert icmp !192.168.1.0/24 any <> 192.16.1.0/24 any (flags: S; msg: “HOULA SYN Packet!”\
puis je restart snort et je liée 2 pc par un câble croisé ( 192.168.1.20 pour windows et pour le victime l'ip est 192.168.1.21 pour Linux où snort est installé ) , mon HOME_NET 192.168.1.0/24 and the EXTEREL_NET !$HOME_NET. The problem is when i run
snort -dvi eth0 -c /etc/snort/snort.conf
je vois les paquets transsmises et réçues (les réçues contien "abcdefgh" ), quand je stop snort CTRL+C je ne vois aucune alert dans le résulta!!!
Run time prior to being shutdown was 218.523030 seconds
================================================== =============================
Packet Wire Totals:
Received: 1346
Analyzed: 1342 (99.703%)
Dropped: 0 (0.000%)
Outstanding: 4 (0.297%)
================================================== =============================
Breakdown by protocol (includes rebuilt packets):
ETH: 1342 (100.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 1213 (90.387%)
IP4disc: 394 (29.359%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 35 (2.608%)
ICMP: 390 (29.061%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 394 (29.359%)
FRAG 6: 0 (0.000%)
ARP: 129 (9.613%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 394 (29.359%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)
Total: 1342
================================================== =============================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
================================================== =============================
Frag3 statistics:
Total Fragments: 394
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 394
FragTrackers Dumped: 394
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 394
Frag Nodes Deleted: 394
================================================== =============================
Stream5 statistics:
Total sessions: 0
TCP sessions: 0
UDP sessions: 0
ICMP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
TCP StreamTrackers Created: 0
TCP StreamTrackers Deleted: 0
TCP Timeouts: 0
TCP Overlaps: 0
TCP Segments Queued: 0
TCP Segments Released: 0
TCP Rebuilt Packets: 0
TCP Segments Used: 0
TCP Discards: 0
UDP Sessions Created: 0
UDP Sessions Deleted: 0
UDP Timeouts: 0
UDP Discards: 0
Events: 0
TCP Port Filter
Dropped: 0
Inspected: 0
Tracked: 0
UDP Port Filter
Dropped: 0
Inspected: 0
Tracked: 0
================================================== =============================
================================================== =============================
dcerpc2 Preprocessor Statistics
Total sessions: 0
================================================== =============================
================================================== =============================
database: Closing connection to database "snort"
database: Closing connection to database "snort"
Snort exiting
Svp si quelqu'un peux m'aider où est le probléme exactement!!! merci.
Partager