[Oisf-users] Fwd: IPS

Pablo pablo.rincon.crespo at gmail.com
Mon Jun 14 11:15:33 UTC 2010


On my last mail I wrote the rule of the example without a protocol (my
apologizes, I forgot it).

2010/6/14 Will Metcalf <william.metcalf at gmail.com>

> Hmm are you sure there is a logged alert as when I try to process this
> rule it is rejected by the rule parser as there is no protocol
> specified.
> SigParseBasics: pcre_exec failed: ret -1, sigstr "drop any any -> any
> any (msg:"drop google"; content:"google";sid:1;)"
> [19453] 14/6/2010 -- 06:06:59 - (detect.c:322) <Error>
> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
> parsing signature "drop any any -> any any (msg:"drop google";
> content:"google";sid:1;)" from file blah.rules at line 1
>
> However for me the same NFQUEUE rules with the same rule + a protocol
> specified prevents me from visiting www.google.com.
>
> drop tcp any any -> any any (msg:"drop google"; content:"google";sid:1;)
>
> Regards,
>
> Will
>
>
> On Mon, Jun 14, 2010 at 4:12 AM, Anas.B <a.bouhsaina at gmail.com> wrote:
> > Good morning,
> >
> > I've tryied this rule in a new file "facebook.rules"
> > drop any any -> any any (msg:"drop google"; content:"google";sid:1;)
> >
> > The alert is logged, but no drops !
> >
> >
> >>>
> >>> On Fri, 11 Jun 2010, Anas.B wrote:
> >>>
> >>>> This the results of my experience :
> >>>> (Strange !!!)
> >>>>
> >>>>
> *****************************************************************************************
> >>>> nmap -sS 192.168.44.135  without runingsuricata
> >>>>
> >>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:33 Afr.
> centrale
> >>>> Ouest
> >>>> Nmap scan report for 192.168.44.135
> >>>> Host is up (0.00s latency).
> >>>> All 1000 scanned ports on 192.168.44.135 are filtered
> >>>> MAC Address: 00:0C:29:07:11:87 (VMware)
> >>>>
> >>>> Nmap done: 1 IP address (1 host up) scanned in 22.33 seconds
> >>>>
> >>>>
> *****************************************************************************************
> >>>> nmap -sS 192.168.44.135  with suricata but without Drop rules
> >>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:40 Afr.
> centrale
> >>>> Ouest
> >>>> Nmap scan report for 192.168.44.135
> >>>> Host is up (0.0013s latency).
> >>>> All 1000 scanned ports on 192.168.44.135 are closed
> >>>> MAC Address: 00:0C:29:07:11:87 (VMware)
> >>>>
> >>>> Nmap done: 1 IP address (1 host up) scanned in 6.38 seconds
> >>>>
> >>>> [3647] 11/6/2010 -- 16:41:41 - (source-nfq.c:533) <Info>
> >>>> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 2004, dropped 0
> >>>>
> >>>>
> >>>>
> *****************************************************************************************
> >>>> nmap -sS 192.168.44.135  with suricata and replacing alert by Drop
> >>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:45 Afr.
> centrale
> >>>> Ouest
> >>>> Nmap scan report for 192.168.44.135
> >>>> Host is up (0.00s latency).
> >>>> All 1000 scanned ports on 192.168.44.135 are filtered
> >>>> MAC Address: 00:0C:29:07:11:87 (VMware)
> >>>>
> >>>> Nmap done: 1 IP address (1 host up) scanned in 22.68 seconds
> >>>>
> >>>> [3701] 11/6/2010 -- 16:46:51 - (source-nfq.c:533) <Info>
> >>>> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 0, dropped 2000
> >>>>
> >>>>
> *****************************************************************************************
> >>>>
> >>>> What can we conclude ?? ==>  [ we can't drop the Nmap scans !!! ?? ]
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> 2010/6/11 Anas.B <a.bouhsaina at gmail.com>
> >>>>      Je n'ai pas 2010051 voici la régle que j'ai :
> >>>>
> >>>>      alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> >>>> MALWARE Executable purporting to be .cfg file with no Referrer -
> Likely
> >>>> Malware";
> >>>>      flow:established,to_server; content:"GET "; nocase; depth:4;
> >>>> content:!"|0d 0a|Referer\: "; nocase; uricontent:".cfg"; nocase;
> >>>> pcre:"/\.cfg$/Ui";
> >>>>      flowbits:set,ET.hidden.exe; flowbits:noalert;
> >>>> classtype:trojan-activity;
> >>>>
> >>>>  reference:url,
> www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99;
> >>>> reference:url,doc.emergingthreats.net/2010501;
> >>>>
> >>>>  reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL
> ;
> >>>> sid:2010501; rev:2;)
> >>>>
> >>>>      je n'ai pas compris l'offload de cksum (cela veut dire , la
> >>>> vérification de CRC d'arrivé avec le CRC du départ ??)
> >>>>      et aussi le renvoi de data compressé !
> >>>>
> >>>>      Snort et meilleur que Suricata ?
> >>>>
> >>>>
> >>>>
> >>>> 2010/6/11 rmkml <rmkml at free.fr>
> >>>>      cherche dans les fichiers emerging que tu as si tu as déjà le sid
> >>>> 2010051?
> >>>>      visiblement elle est dans un fichier qui contient le mot
> malware...
> >>>>      suricata ne vérifie pas le contenu des packets ayant un mauvais
> >>>> cksum par défaut, donc si tu as une carte réseau qui fait de l'offload
> de
> >>>>      cksum, alors tu vas avoir bcp de bad cksum... tu peux le vérifier
> >>>> avec tcpdump...
> >>>>      concernant le cache des navigateurs web, si tu vas sur l'url
> >>>> http://www.google.com/install/ws.exe avec firefox ou ie, tu auras une
> alerte
> >>>> avec
> >>>>      suricata, mais si tu fais refresh de ton navigateur, en fait le
> >>>> navigateur ne va pas essayer de nouveau l'url, puis il a certainement
> dans
> >>>> son
> >>>>      cache... c'est pour cela que j'utilise wget ou curl ou fetch
> >>>>      Plus tard il faut aussi faire attention au renvoi de data
> >>>> compresser des serveurs web...
> >>>>
> >>>> a+
> >>>> Rmkml
> >>>>
> >>>>
> >>>>
> >>>> On Fri, 11 Jun 2010, Anas.B wrote:
> >>>>
> >>>>      Je dois la créer,
> >>>>      oubien elle existe déja, ?
> >>>>
> >>>>      si oui dans quel fichier,
> >>>>      si nn comment ?
> >>>>
> >>>>      en fait j'ai pas compris :
> >>>>      - attention au cksum...
> >>>>      et       - attention au cache des navigatuers web...
> >>>>
> >>>>      désolé, et merci bcp.
> >>>>
> >>>>
> >>>>      2010/6/11 rmkml <rmkml at free.fr>
> >>>>           heu bonne question,
> >>>>           exemple peut être avec le sid 2010051,
> >>>>           generer une alerte avec le client wget unix: (ou fetch ou
> >>>> curl)
> >>>>            wget http://www.google.com/install/ws.exe
> >>>>           avoir une alerte:
> >>>>           06/11-16:32:23.306483  [**] [1:2010051:2] ET CURRENT_EVENTS
> >>>> MALWARE Likely Rogue Antivirus Download - ws.exe [**] [Classification:
> A
> >>>>      Network Trojan
> >>>>           was detected] [Priority: 1] {TCP} 10.50.1.40:34322 ->
> >>>> a.b.c.d:80
> >>>>            puis la passer en drop tjrs vérifier si tu as des drop de
> >>>> packets ou pas...
> >>>>           attention au cksum...
> >>>>
> >>>>      a+
> >>>>      Rmkml
> >>>>
> >>>>
> >>>>      On Fri, 11 Jun 2010, Anas.B wrote:
> >>>>
> >>>>           Bjr,
> >>>>           oui je crois que t'a raison,
> >>>>           quel genre de règle facile que je px bloquer ?
> >>>>
> >>>>           Merciiiiii
> >>>>
> >>>>           2010/6/11 rmkml <rmkml at free.fr>
> >>>>                Bonjour Anas,
> >>>>                suite à l'email de Victor, et je crois que les scan
> nmap
> >>>> sont particulier, c-a-d que les scans ouvrent de multiples sessions,
> >>>>      ce qui n'est
> >>>>           pas un cas
> >>>>                facile pour commencer...
> >>>>                Essaye plus tot une attaque sur une regle, puis tu l'as
> >>>> bloque... attention au cache des navigatuers web...
> >>>>                a+
> >>>>                Rmkml
> >>>>
> >>>>
> >>>>
> >>>>           On Fri, 11 Jun 2010, Anas.B wrote:
> >>>>
> >>>>
> >>>>                Hello,
> >>>>
> >>>>                I've replaced "alert" by"drop"  where we have "Nmap"
> >>>> rules in emerging-scan.rules file ,
> >>>>
> >>>>                but I've the same result in Nmap:
> >>>>
> >>>>                Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11
> >>>> 14:49 Afr. centrale Ouest
> >>>>                Nmap scan report for 192.168.44.135
> >>>>                Host is up (0.00s latency).
> >>>>                All 1000 scanned ports on 192.168.44.135 are filtered
> >>>>                MAC Address: 00:0C:29:07:11:87 (VMware)
> >>>>                as before !!!
> >>>>
> >>>>                why the packets aren't dropped ?
> >>>>
> >>>>                These are the commands applied :
> >>>>                suricata -c /etc/suricata/suricata.yaml -q 0
> >>>>
> >>>>                and this is the iptables :
> >>>>
> >>>>                NFQUEUE    all  --  anywhere
> >>>> anywhere            NFQUEUE num 0
> >>>>
> >>>>                Chain FORWARD (policy ACCEPT)
> >>>>                target     prot opt source
> >>>> destination
> >>>>
> >>>>                Chain OUTPUT (policy ACCEPT)
> >>>>                target     prot opt source
> >>>> destination
> >>>>                NFQUEUE    all  --  anywhere
> >>>> anywhere            NFQUEUE num 0
> >>>>
> >>>>
> >>>>                Kindest regards :)
> >>>>
> >>>>                Anas
> >>>>
> >>>>                Nmap done: 1 IP address (1 host up) scanned in 23.16
> >>>> seconds
> >>>>
> >>>>
> >>>>                2010/6/9 Victor Julien <victor at inliniac.net>
> >>>>                     All rules might be a bit much, but in essence,
> yes.
> >>>> But be careful that
> >>>>                     some rules might false positive.
> >>>>
> >>>>                     Cheers,
> >>>>                     Victor
> >>>>
> >>>>                     Anas.B wrote:
> >>>>                > I've just coppied the emerging rules ,
> >>>>                >
> >>>>                > should i copy snort rules also ?
> >>>>                > should i convert all the rules from alert to Drop ?
> >>>>                >
> >>>>                >
> >>>>                > Thxxx
> >>>>                >
> >>>>                >
> >>>>                > 2010/6/9 Victor Julien <victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>
> >>>>                >
> >>>>                >     Making progress :)
> >>>>                >
> >>>>                >     Do you have drop rules? Normally a rule is "alert
> >>>> ip any any -> any any
> >>>>                >     ... " etc. but you need "drop ip any any -> any
> >>>> ...." Did you convert
> >>>>                >     your rules?
> >>>>                >
> >>>>                >     The TmqDebugList statements are debug stuff, you
> >>>> can ignore that.
> >>>>                >
> >>>>                >     Cheers,
> >>>>                >     Victor
> >>>>                >
> >>>>                >     Anas.B wrote:
> >>>>                >     > Thank you so much, for ur help :)
> >>>>                >     >
> >>>>                >     > this time I've these lines :
> >>>>                >     >
> >>>>                >     > 'pickup-queue', len 0
> >>>>                >     > TmqDebugList: id 1, name 'decode-queue1', len 0
> >>>>                >     > TmqDebugList: id 2, name 'stream-queue1', len
> 49
> >>>>                >     > TmqDebugList: id 3, name 'verdict-queue', len 0
> >>>>                >     > TmqDebugList: id 4, name 'respond-queue', len 1
> >>>>                >     > TmqDebugList: id 5, name 'alert-queue1', len 0
> >>>>                >     >
> >>>>                >     > after an Nmap scan
> >>>>                >     >
> >>>>                >     >
> >>>>                >     > after CTRL+C
> >>>>                >     >
> >>>>                >     > I've this :
> >>>>                >     >
> >>>>                >     > 4:33 - (suricata.c:1033) <Info> (main) --
> signal
> >>>> received
> >>>>                >     > [8495] 9/6/2010 -- 16:04:33 - (suricata.c:1069)
> >>>> <Info> (main) -- time
> >>>>                >     > elapsed 176s
> >>>>                >     > [8500] 9/6/2010 -- 16:04:33 -
> (source-nfq.c:522)
> >>>> <Info>
> >>>>                >     > (ReceiveNFQThreadExitStats) -- (ReceiveNFQ)
> Pkts
> >>>> 6028, Bytes 256012,
> >>>>                >     > Errors 0
> >>>>                >     > [8502] 9/6/2010 -- 16:04:33 -
> (stream-tcp.c:2634)
> >>>> <Info>
> >>>>                >     > (StreamTcpExitPrintStats) -- (Stream1) Packets
> >>>> 6014
> >>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:172)
> >>>> <Info>
> >>>>                >     > (DetectExitPrintStats) -- (Detect1) (1byte)
> Pkts
> >>>> 6028, Searched 0
> >>>>                >     (0.0).
> >>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:175)
> >>>> <Info>
> >>>>                >     > (DetectExitPrintStats) -- (Detect1) (2byte)
> Pkts
> >>>> 6028, Searched 4
> >>>>                >     (0.1).
> >>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:178)
> >>>> <Info>
> >>>>                >     > (DetectExitPrintStats) -- (Detect1) (3byte)
> Pkts
> >>>> 6028, Searched 0
> >>>>                >     (0.0).
> >>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:181)
> >>>> <Info>
> >>>>                >     > (DetectExitPrintStats) -- (Detect1) (4byte)
> Pkts
> >>>> 6028, Searched 0
> >>>>                >     (0.0).
> >>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:184)
> >>>> <Info>
> >>>>                >     > (DetectExitPrintStats) -- (Detect1) (+byte)
> Pkts
> >>>> 6028, Searched 0
> >>>>                >     (0.0).
> >>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:188)
> >>>> <Info>
> >>>>                >     > (DetectExitPrintStats) -- (Detect1) URI (1byte)
> >>>> Uri's 0, Searched
> >>>>                >     0 (-nan).
> >>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:191)
> >>>> <Info>
> >>>>                >     > (DetectExitPrintStats) -- (Detect1) URI (2byte)
> >>>> Uri's 0, Searched
> >>>>                >     0 (-nan).
> >>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:194)
> >>>> <Info>
> >>>>                >     > (DetectExitPrintStats) -- (Detect1) URI (3byte)
> >>>> Uri's 0, Searched
> >>>>                >     0 (-nan).
> >>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:197)
> >>>> <Info>
> >>>>                >     > (DetectExitPrintStats) -- (Detect1) URI (4byte)
> >>>> Uri's 0, Searched
> >>>>                >     0 (-nan).
> >>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:200)
> >>>> <Info>
> >>>>                >     > (DetectExitPrintStats) -- (Detect1) URI (+byte)
> >>>> Uri's 0, Searched
> >>>>                >     0 (-nan).
> >>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:202)
> >>>> <Info>
> >>>>                >     > (DetectExitPrintStats) -- 4 sigs per mpm match
> on
> >>>> avg needed
> >>>>                >     inspection,
> >>>>                >     > total mpm searches 2, less than 25 sigs need
> >>>> inspect 2, more than 100
> >>>>                >     > sigs need inspect 0, more than 1000 0 max 5
> >>>>                >     > [8504] 9/6/2010 -- 16:04:33 -
> (source-nfq.c:533)
> >>>> <Info>
> >>>>                >     > (VerdictNFQThreadExitStats) -- (Verdict) Pkts
> >>>> accepted 6028, dropped 0
> >>>>                >     > [8506] 9/6/2010 -- 16:04:33 -
> >>>> (alert-fastlog.c:256) <Info>
> >>>>                >     > (AlertFastLogExitPrintStats) -- (Outputs)
> Alerts
> >>>> 3792
> >>>>                >     > [8506] 9/6/2010 -- 16:04:33 -
> >>>> (alert-unified-log.c:304) <Info>
> >>>>                >     > (AlertUnifiedLogThreadDeinit) -- Alert unified1
> >>>> log module wrote
> >>>>                >     3792 alerts
> >>>>                >     > [8506] 9/6/2010 -- 16:04:33 -
> >>>> (alert-unified-alert.c:281) <Info>
> >>>>                >     > (AlertUnifiedAlertThreadDeinit) -- Alert
> unified1
> >>>> alert module wrote
> >>>>                >     > 3792 alerts
> >>>>                >     > [8506] 9/6/2010 -- 16:04:33 -
> >>>> (alert-unified2-alert.c:582) <Info>
> >>>>                >     > (Unified2AlertThreadDeinit) -- Alert unified2
> >>>> module wrote 3792 alerts
> >>>>                >     > [8506] 9/6/2010 -- 16:04:33 -
> (log-httplog.c:391)
> >>>> <Info>
> >>>>                >     > (LogHttpLogExitPrintStats) -- (Outputs) HTTP
> >>>> requests 0
> >>>>                >     > [8506] 9/6/2010 -- 16:04:33 -
> >>>> (alert-debuglog.c:254) <Info>
> >>>>                >     > (AlertDebugLogExitPrintStats) -- (Outputs)
> Alerts
> >>>> 3792
> >>>>                >     > [8507] 9/6/2010 -- 16:04:33 - (flow.c:767)
> <Info>
> >>>>                >     (FlowManagerThread) --
> >>>>                >     > 6 new flows, 1000 established flows were timed
> >>>> out, 0 flows in
> >>>>                >     closed state
> >>>>                >     > [8495] 9/6/2010 -- 16:04:33 - (flow.c:588)
> <Info>
> >>>> (FlowPrintQueueInfo)
> >>>>                >     > -- flowbits added: 0, removed: 0, max memory
> >>>> usage: 0
> >>>>                >     > [8495] 9/6/2010 -- 16:04:33 -
> (stream-tcp.c:365)
> >>>> <Info>
> >>>>                >     > (StreamTcpFreeConfig) -- Max memuse of stream
> >>>> engine 15021952 (in
> >>>>                >     use 0)
> >>>>                >     > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2492)
> >>>> <Info>
> >>>>                >     > (SigAddressCleanupStage1) -- cleaning up
> >>>> signature grouping
> >>>>                >     structure...
> >>>>                >     > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2509)
> >>>> <Info>
> >>>>                >     > (SigAddressCleanupStage1) -- cleaning up
> >>>> signature grouping
> >>>>                >     structure...
> >>>>                >     > done
> >>>>                >     >
> >>>>                >     >
> >>>>                >     > is this normal ?
> >>>>                >     > (just alerts no Dropped !!!!)
> >>>>                >     >
> >>>>                >     > I've done the Nmap scan from Windows
> >>>>                >     >
> >>>>                >     >
> >>>>                >     > Sorry for the inconvenience
> >>>>                >     > Cheers
> >>>>                >     >
> >>>>                >     >
> >>>>                >     >
> >>>>                >     > 2010/6/9 Victor Julien <victor at inliniac.net
> >>>>                >     <mailto:victor at inliniac.net>
> >>>> <mailto:victor at inliniac.net
> >>>>                >     <mailto:victor at inliniac.net>>>
> >>>>                >     >
> >>>>                >     >     In the config below you only send outgoing
> >>>> HTTP traffic to
> >>>>                >     Suricata. To
> >>>>                >     >     inspect all do:
> >>>>                >     >
> >>>>                >     >     iptables -A INPUT -j NFQUEUE
> >>>>                >     >     iptables -A OUTPUT -j NFQUEUE
> >>>>                >     >
> >>>>                >     >     Cheers,
> >>>>                >     >     Victor
> >>>>                >     >
> >>>>                >     >     Anas.B wrote:
> >>>>                >     >     > I didn't configure Iptables,
> >>>>                >     >     >
> >>>>                >     >     > now i have the two lines
> >>>>                >     >     >
> >>>>                >     >     > Chain INPUT (policy ACCEPT)
> >>>>                >     >     > target     prot opt source
> >>>> destination
> >>>>                >     >     > NFQUEUE    tcp  --  anywhere
> >>>> anywhere            tcp
> >>>>                >     >     spt:www
> >>>>                >     >     > NFQUEUE num 0
> >>>>                >     >     >
> >>>>                >     >     > Chain FORWARD (policy ACCEPT)
> >>>>                >     >     > target     prot opt source
> >>>> destination
> >>>>                >     >     >
> >>>>                >     >     > Chain OUTPUT (policy ACCEPT)
> >>>>                >     >     > target     prot opt source
> >>>> destination
> >>>>                >     >     > NFQUEUE    tcp  --  anywhere
> >>>> anywhere            tcp
> >>>>                >     >     dpt:www
> >>>>                >     >     > NFQUEUE num 0
> >>>>                >     >     >
> >>>>                >     >     > But still no alerts/Drop/reject  nmap
> scan
> >>>>                >     >     >
> >>>>                >     >     > Best Regards
> >>>>                >     >     >
> >>>>                >     >     > 2010/6/9 Victor Julien <
> victor at inliniac.net
> >>>>                >     <mailto:victor at inliniac.net>
> >>>>                >     >     <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>
> >>>>                >     <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>
> >>>>                >     >     <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>>>
> >>>>                >     >     >
> >>>>                >     >     >     In that case you'd need:
> >>>>                >     >     >
> >>>>                >     >     >     iptables -A OUTPUT -p tcp --dport 80
> -j
> >>>> NFQUEUE
> >>>>                >     >     >     iptables -A INPUT -p tcp --sport 80
> -j
> >>>> NFQUEUE
> >>>>                >     >     >
> >>>>                >     >     >     This would send outgoing http traffic
> >>>> (the vm browsing
> >>>>                >     the web) to
> >>>>                >     >     >     Suricata.
> >>>>                >     >     >
> >>>>                >     >     >     Cheers,
> >>>>                >     >     >     Victor
> >>>>                >     >     >
> >>>>                >     >     >     Anas.B wrote:
> >>>>                >     >     >     > No, I'm just trying this in local
> >>>> Virtual Machine Ubuntu).
> >>>>                >     >     >     >
> >>>>                >     >     >     > since there is no much Doc, i'm a
> >>>> little lost.
> >>>>                >     >     >     >
> >>>>                >     >     >     > thaks a lot
> >>>>                >     >     >     >
> >>>>                >     >     >     >
> >>>>                >     >     >     > 2010/6/9 Victor Julien
> >>>> <victor at inliniac.net
> >>>>                >     <mailto:victor at inliniac.net>
> >>>>                >     >     <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>
> >>>>                >     >     >     <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>
> >>>>                >     <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>>
> >>>>                >     >     <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>
> >>>>                >     <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>
> >>>>                >     >     >     <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>
> >>>>                >     <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>>>>
> >>>>                >     >     >     >
> >>>>                >     >     >     >     Did you add the appropriate
> >>>> iptables rules?
> >>>>                >     >     >     >
> >>>>                >     >     >     >     For example for getting port 80
> >>>> to suricata:
> >>>>                >     >     >     >
> >>>>                >     >     >     >     iptables -A FORWARD -p tcp
> >>>> --dport 80 -j NFQUEUE
> >>>>                >     >     >     >
> >>>>                >     >     >     >     Cheers,
> >>>>                >     >     >     >     Victor
> >>>>                >     >     >     >
> >>>>                >     >     >     >     Anas.B wrote:
> >>>>                >     >     >     >     >
> >>>>                >     >     >     >     > Hello,
> >>>>                >     >     >     >     >
> >>>>                >     >     >     >     > I've just tested a nmap,
> >>>>                >     >     >     >     >
> >>>>                >     >     >     >     >  I noticed more unified files
> >>>>                >     >     >     >     > and alerts in the file
> fast.log
> >>>>                >     >     >     >     > new values in
>  alert-debug.log
> >>>> and stats.log
> >>>>                >     >     >     >     >
> >>>>                >     >     >     >     > that means it works !!
> >>>>                >     >     >     >     >
> >>>>                >     >     >     >     > But with the command ==> *#
> >>>> suricata -c
> >>>>                >     >     >     >     /etc/suricata/suricata.yaml -q
> 0
> >>>>                >     >     >     >     >
> >>>>                >     >     >     >     > *I have no logs,
> >>>>                >     >     >     >     > any suggestions
> >>>>                >     >     >     >     >
> >>>>                >     >     >     >     > thanks :)
> >>>>                >     >     >     >     >
> >>>>                >     >     >     >     >
> >>>>                >     >     >     >     >
> >>>>                >     >     >     >
> >>>>                >     >     >
> >>>>                >     >
> >>>>                >
> >>>>
> ------------------------------------------------------------------------
> >>>>                >     >     >     >     >
> >>>>                >     >     >     >     >
> >>>> _______________________________________________
> >>>>                >     >     >     >     > Oisf-users mailing list
> >>>>                >     >     >     >     >
> >>>> Oisf-users at openinfosecfoundation.org
> >>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>
> >>>>                >     >     <mailto:
> Oisf-users at openinfosecfoundation.org
> >>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>>
> >>>>                >     >     >
> >>>> <mailto:Oisf-users at openinfosecfoundation.org
> >>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>
> >>>>                >     >     <mailto:
> Oisf-users at openinfosecfoundation.org
> >>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>>>
> >>>>                >     >     >     >
> >>>> <mailto:Oisf-users at openinfosecfoundation.org
> >>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>
> >>>>                >     >     <mailto:
> Oisf-users at openinfosecfoundation.org
> >>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>>
> >>>>                >     >     >
> >>>> <mailto:Oisf-users at openinfosecfoundation.org
> >>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>
> >>>>                >     >     <mailto:
> Oisf-users at openinfosecfoundation.org
> >>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>>>>
> >>>>                >     >     >     >     >
> >>>>                >     >     >
> >>>>                >
> >>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>>>                >     >     >     >
> >>>>                >     >     >     >
> >>>>                >     >     >     >     --
> >>>>                >     >     >     >
> >>>> ---------------------------------------------
> >>>>                >     >     >     >     Victor Julien
> >>>>                >     >     >     >     http://www.inliniac.net/
> >>>>                >     >     >     >     PGP:
> >>>> http://www.inliniac.net/victorjulien.asc
> >>>>                >     >     >     >
> >>>> ---------------------------------------------
> >>>>                >     >     >     >
> >>>>                >     >     >     >
> >>>>                >     >     >
> >>>>                >     >     >
> >>>>                >     >     >     --
> >>>>                >     >     >
> >>>> ---------------------------------------------
> >>>>                >     >     >     Victor Julien
> >>>>                >     >     >     http://www.inliniac.net/
> >>>>                >     >     >     PGP:
> >>>> http://www.inliniac.net/victorjulien.asc
> >>>>                >     >     >
> >>>> ---------------------------------------------
> >>>>                >     >     >
> >>>>                >     >     >
> >>>>                >     >
> >>>>                >     >
> >>>>                >     >     --
> >>>>                >     >
> ---------------------------------------------
> >>>>                >     >     Victor Julien
> >>>>                >     >     http://www.inliniac.net/
> >>>>                >     >     PGP:
> http://www.inliniac.net/victorjulien.asc
> >>>>                >     >
> ---------------------------------------------
> >>>>                >     >
> >>>>                >     >
> >>>>                >
> >>>>                >
> >>>>                >     --
> >>>>                >     ---------------------------------------------
> >>>>                >     Victor Julien
> >>>>                >     http://www.inliniac.net/
> >>>>                >     PGP: http://www.inliniac.net/victorjulien.asc
> >>>>                >     ---------------------------------------------
> >>>>                >
> >>>>                >
> >>>>
> >>>>
> >>>>                --
> >>>>                ---------------------------------------------
> >>>>                Victor Julien
> >>>>                http://www.inliniac.net/
> >>>>                PGP: http://www.inliniac.net/victorjulien.asc
> >>>>                ---------------------------------------------
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>
> >
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Best regards,
--
Pablo Rincón Crespo
Security researcher and developer
Open Information Security Foundation (OISF)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100614/3faf771d/attachment-0002.html>


More information about the Oisf-users mailing list