[Snortsam-discussion] testing snortsam with simple rules
Matt Jonkman
jonkman at jonkmans.com
Tue May 13 21:09:28 EDT 2008
Thats an icmp sig, so putting -P0 tells nmnap not to do an icmp ping.
Take that out and try again.
IIRC, nmap's old default behavior was an icmp ping with no payload,
which is unusual. Not sure if it still does the same...
Matt
Rachmat Hidayat Al-Anshar wrote:
> howdy ;)
>
> Thanks Matt, working like a charm. I feel so exited
> with this work, can you tell me how to to generate
> sid: 469, its about detecting nmap icmp traffic. The
> signature looks like this:
>
> alert icmp $EXTERNAL_NET any -> $HOME_NET any
> (msg:"ICMP PING NMAP"; dsize:0; itype:8;
> reference:arachnids,162; classtype:attempted-recon;
> sid:469; rev:4;)
>
> I try to issuing this following nmap commands:
> nmap -P0 -sS -sV -O <target ip>
>
> but snort only show about (portscan) TCP portscan and
> SNMP trap tcp. ;(
> what should I do?
>
> For anyone who want show me any other kind of rules
> for
> testing snortsam will be greatly appreciated ;)
>
> best regard
> Matt
>
>
> --- Matt Jonkman <jonkman at jonkmans.com> wrote:
>
>> Forgot to mention you need to telnet to yahoo.com on
>> port 80.
>>
>> Matt Jonkman wrote:
>>> Best bet is to make your own test sig. Something
>> like:
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET
>> $HTTP_PORTS (msg:"test";
>>> flow:established,to_server;
>> content:"testing123testing"; sid:1000000;
>>> rev:1; fwsam: dst, 2 minutes;)
>>>
>>> Then just telnet to cnn.com or something, type
>> testing123testing and
>>> that Ip ought to be blocked for 2 minutes. Should
>> be long enough for you
>>> to see the block be added and removed.
>>>
>>> Dont leave that running after you're done though.
>> :)
>>> Matt
>>>
>>> Rachmat Hidayat Al-Anshar wrote:
>>>> Hi all,
>>>>
>>>> Can you all help me to find some simple rules to
>>>> testing
>>>> snortsam (other than simple icmp 'ping' rules off
>>>> course), its can be dos, ddos, exploit, icmp,
>>>> web-attack, and web-php rules. And please tell me
>> how
>>>> to make it
>>>> happen, i mean, what should I do to make snort
>>>> generate
>>>> alerts from that rules.
>>>>
>>>> this is just for testing purpose only, and didn't
>>>> applied
>>>> to the production environment. I just want to try
>> some
>>>> others blocking schemes.
>>>>
>>>> regard
>>>> Matt
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Snortsam-discussion mailing list
>>>> Snortsam-discussion at snortsam.net
>>>>
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Snortsam-discussion mailing list
>> Snortsam-discussion at snortsam.net
>>
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
>
>
>
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Snortsam-discussion
mailing list