我正在尝试在CentOS 6.4上测试snort 2.9.4,但在控制台上看不到任何警报。我使用以下命令运行它:
snort -i eth2 -c /etc/snort/snort.conf
eth2是连接到span端口的接口。如果我在界面上执行tcpdump,我会得到大量的数据。
我在local.rules有以下规则:
alert icmp any any -> any any (msg: "ICMP Testing Rule"; sid:1000001; rev:1;)
alert tcp any any -> any 80 (msg: "TCP Testing Rule"; sid:1000002; rev:1;)
alert udp any any -> any any (msg: "UDP Testing Rule"; sid:1000003; rev:1;)
当我点击“控制c”时,我得到以下统计数据:
===============================================================================
Run time for packet processing was 817.54341 seconds
Snort processed 17555 packets.
Snort ran for 0 days 0 hours 13 minutes 37 seconds
Pkts/min: 1350
Pkts/sec: 21
===============================================================================
Packet I/O Totals:
Received: 17610
Analyzed: 17555 ( 99.688%)
Dropped: 55 ( 0.311%)
Filtered: 0 ( 0.000%)
Outstanding: 55 ( 0.312%)
Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 17599 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 17175 ( 97.591%)
Frag: 0 ( 0.000%)
ICMP: 16 ( 0.091%)
UDP: 794 ( 4.512%)
TCP: 16365 ( 92.988%)
IP6: 12 ( 0.068%)
IP6 Ext: 12 ( 0.068%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 12 ( 0.068%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 12 ( 0.068%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 3 ( 0.017%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 421 ( 2.392%)
Bad Chk Sum: 0 ( 0.000%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 11 ( 0.063%)
S5 G 2: 33 ( 0.188%)
Total: 17599
===============================================================================
Action Stats:
Alerts: 4933 ( 28.030%)
Logged: 4933 ( 28.030%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 261
Verdicts:
Allow: 13263 ( 75.315%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 4292 ( 24.373%)
Blacklist: 0 ( 0.000%)
Ignore: 0 ( 0.000%)
===============================================================================
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
Drops: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Stream5 statistics:
Total sessions: 643
TCP sessions: 285
UDP sessions: 358
ICMP sessions: 0
IP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
IP Prunes: 0
TCP StreamTrackers Created: 285
TCP StreamTrackers Deleted: 285
TCP Timeouts: 0
TCP Overlaps: 0
TCP Segments Queued: 7229
TCP Segments Released: 7229
TCP Rebuilt Packets: 1401
TCP Segments Used: 7068
TCP Discards: 95
TCP Gaps: 4
UDP Sessions Created: 358
UDP Sessions Deleted: 358
UDP Timeouts: 0
UDP Discards: 0
Events: 0
Internal Events: 0
TCP Port Filter
Dropped: 0
Inspected: 0
Tracked: 16321
UDP Port Filter
Dropped: 0
Inspected: 51
Tracked: 358
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 8
GET methods: 238
HTTP Request Headers extracted: 261
HTTP Request Cookies extracted: 94
Post parameters extracted: 8
HTTP response Headers extracted: 251
HTTP Response Cookies extracted: 18
Unicode: 0
Double unicode: 0
Non-ASCII representable: 0
Directory traversals: 0
Extra slashes ("//"): 37
Self-referencing paths ("./"): 0
HTTP Response Gzip packets extracted: 55
Gzip Compressed Data Processed: 363978.00
Gzip Decompressed Data Processed: 1132880.00
Total packets processed: 8600
===============================================================================
SMTP Preprocessor Statistics
Total sessions : 0
Max concurrent sessions : 0
===============================================================================
dcerpc2 Preprocessor Statistics
Total sessions: 0
===============================================================================
SSL Preprocessor:
SSL packets decoded: 1159
Client Hello: 134
Server Hello: 121
Certificate: 89
Server Done: 228
Client Key Exchange: 77
Server Key Exchange: 9
Change Cipher: 214
Finished: 0
Client Application: 151
Server Application: 59
Alert: 0
Unrecognized records: 608
Completed handshakes: 0
Bad handshakes: 0
Sessions ignored: 59
Detection disabled: 0
===============================================================================
SIP Preprocessor Statistics
Total sessions: 0
===============================================================================
Snort exiting
谢谢。
答案 0 :(得分:0)
snort -i eth2 -A full
答案 1 :(得分:0)
What are your alert settings in your snort.conf file? Also I would recommend running tail -f <path to snort alert file>
when running snort, so you can see those alerts as they happen.