How to trigger Snort

[destro23]

Hey guys... still working on my senior project little by little... i have "Endian" Firewall linux distro up and running and snort is included.. i have an IIS 5.1 server running behind it and a few windows machines in my VMware Lab Setup.

So my question is... is there any specific metasploit attack that will trigger snort? and it's IDS?

[linou]

generally I know that snort is remained a log the same a attack as port scanning. try to scan ports of target(your case is windows) with nmap windows's ip.

[scottm99]

Have you modified the default snort rules any? If not, any rather "noisy" scan ought to do it...maybe TCP xmas scan, or FTP bounce.

[destro23]

thanks scott.. i think the problem at this point is that it's a firewall with IDS built in... I think the firewall is blocking most of the attempts... and the IDS is seeing nothing.. if i have comprimised a windows xp VM behind the firewall with metasploit will snort fire off when looking at that traffic? i've updated snort with latest definitions.... i think i'm gonna shut down the firewall and see if snort fires off then..

[scottm99]

I'm no snort expert, but as I understand IDS/IPS, it's all about the definitions/rules. What you said makes sense, if the firewall is stopping inbound traffic, then snort won't trigger, cause there's nothing for it to trigger on.

Now, if you've compromised your victim (depending on how the firewall is configured), snort may log something if it sees outbound traffic that matches a definition/rule. For example, you've dropped a payload on your victim that does a reverse shell back to your BT machine.

[destro23]

i'll give that a shot tonight.. i'll make a snapshot of the xp machine this way i can roll back and repeat the test on the VM.

[destro23]

Finally got it triggered... and working.. i have now disabled it. and just have the firewall up and running.. i have port 445 open in the firewall.. but the firewall continues to block metasploit ms08_67... I pull the VM off that firewall and metasploit ms08_67 owns the box right away... this isnt looking good... either this is a really good firewall and i can't own the box even though the port is open? i'll keep poking around but i'm gonna run out of time for my senior project

[scottm99]

Glad to hear things are working for you If the port is open, it should be allowing all traffic both ways. Is there anything else running on the box that could be killing the payload?

[destro23]

found out my big issue... I wasnt using a reverse connection... why would a reverse connection work and a regular connection be blocked by the firewall?

[Reamer]

I am not familiar with snort, but wouldn't a reverse payload work because the firewall isn't going to block a connection that an internal computer requests but the firewall would block a connection that the attacking machine initiates?