[Snortsam-discussion] (no subject)
Rachmat Hidayat Al-Anshar
rachmat_hidayat_02 at yahoo.com
Wed May 14 00:50:29 EDT 2008
It's still working Matt. This nmap's icmp traffic seems processed on very short period. Could you show me another rules, maybe something related with port scanning with nmap ?
Thanks in advance
regard
matt
Matt Jonkman wrote:
> Thats an icmp sig, so putting -P0 tells nmnap not to do an icmp ping.
> Take that out and try again.
> IIRC, nmap's old default behavior was an icmp ping with no payload,
> which is unusual. Not sure if it still does the same...
> Matt
> Rachmat Hidayat Al-Anshar wrote:
>> howdy ;)
>>
>> Thanks Matt, working like a charm. I feel so exited
>> with this work, can you tell me how to to generate
>> sid: 469, its about detecting nmap icmp traffic. The
>> signature looks like this:
>>
>> alert icmp $EXTERNAL_NET any -> $HOME_NET any
>> (msg:"ICMP PING NMAP"; dsize:0; itype:8;
>> reference:arachnids,162; classtype:attempted-recon;
>> sid:469; rev:4;)
>>
>> I try to issuing this following nmap commands:
>> nmap -P0 -sS -sV -O <target ip>
>>
>> but snort only show about (portscan) TCP portscan and
>> SNMP trap tcp. ;(
>> what should I do?
>>
>> For anyone who want show me any other kind of rules
>> for
>> testing snortsam will be greatly appreciated ;)
>>
>> best regard
>> Matt
>>
>>
>> --- Matt Jonkman <jonkman at jonkmans.com> wrote:
>>
>>> Forgot to mention you need to telnet to yahoo.com on
>>> port 80.
>>>
>>> Matt Jonkman wrote:
>>>> Best bet is to make your own test sig. Something
>>> like:
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET
>>> $HTTP_PORTS (msg:"test";
>>>> flow:established,to_server;
>>> content:"testing123testing"; sid:1000000;
>>>> rev:1; fwsam: dst, 2 minutes;)
>>>>
>>>> Then just telnet to cnn.com or something, type
>>> testing123testing and
>>>> that Ip ought to be blocked for 2 minutes. Should
>>> be long enough for you
>>>> to see the block be added and removed.
>>>>
>>>> Dont leave that running after you're done though.
>>> :)
>>>> Matt
>>>>
>>>> Rachmat Hidayat Al-Anshar wrote:
>>>>> Hi all,
>>>>>
>>>>> Can you all help me to find some simple rules to
>>>>> testing
>>>>> snortsam (other than simple icmp 'ping' rules off
>>>>> course), its can be dos, ddos, exploit, icmp,
>>>>> web-attack, and web-php rules. And please tell me
>>> how
>>>>> to make it
>>>>> happen, i mean, what should I do to make snort
>>>>> generate
>>>>> alerts from that rules.
>>>>>
>>>>> this is just for testing purpose only, and didn't
>>>>> applied
>>>>> to the production environment. I just want to try
>>> some
>>>>> others blocking schemes.
>>>>>
>>>>> regard
>>>>> Matt
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Snortsam-discussion mailing list
>>>>> Snortsam-discussion at snortsam.net
>>>>>
>> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>>> --
>>> --------------------------------------------
>>> Matthew Jonkman
>>> Emerging Threats
>>> Phone 765-429-0398
>>> Fax 312-264-0205
>>> http://www.emergingthreats.net
>>> --------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>> _______________________________________________
>>> Snortsam-discussion mailing list
>>> Snortsam-discussion at snortsam.net
>>>
>> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>>
>>
>>
>>
>> _______________________________________________
>> Snortsam-discussion mailing list
>> Snortsam-discussion at snortsam.net
>> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
> PGP: http://www.jonkmans.com/mattjonkman.asc
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
More information about the Snortsam-discussion
mailing list