Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: How to trigger Snort

  1. #1
    Junior Member
    Join Date
    Jun 2011
    Posts
    43

    Default How to trigger Snort

    Hey guys... still working on my senior project little by little... i have "Endian" Firewall linux distro up and running and snort is included.. i have an IIS 5.1 server running behind it and a few windows machines in my VMware Lab Setup.

    So my question is... is there any specific metasploit attack that will trigger snort? and it's IDS?

  2. #2
    Just burned their ISO
    Join Date
    Feb 2010
    Posts
    18

    Default Re: How to trigger Snort

    generally I know that snort is remained a log the same a attack as port scanning. try to scan ports of target(your case is windows) with nmap windows's ip.

  3. #3
    Good friend of the forums scottm99's Avatar
    Join Date
    Feb 2010
    Location
    underwater
    Posts
    371

    Default Re: How to trigger Snort

    Have you modified the default snort rules any? If not, any rather "noisy" scan ought to do it...maybe TCP xmas scan, or FTP bounce.
    Last edited by scottm99; 02-17-2012 at 08:29 AM.
    If I could figure out how to scuba dive & hack at the same time, there would be nothing I couldn't do...

  4. #4
    Junior Member
    Join Date
    Jun 2011
    Posts
    43

    Default Re: How to trigger Snort

    thanks scott.. i think the problem at this point is that it's a firewall with IDS built in... I think the firewall is blocking most of the attempts... and the IDS is seeing nothing.. if i have comprimised a windows xp VM behind the firewall with metasploit will snort fire off when looking at that traffic? i've updated snort with latest definitions.... i think i'm gonna shut down the firewall and see if snort fires off then..

  5. #5
    Good friend of the forums scottm99's Avatar
    Join Date
    Feb 2010
    Location
    underwater
    Posts
    371

    Default Re: How to trigger Snort

    I'm no snort expert, but as I understand IDS/IPS, it's all about the definitions/rules. What you said makes sense, if the firewall is stopping inbound traffic, then snort won't trigger, cause there's nothing for it to trigger on.

    Now, if you've compromised your victim (depending on how the firewall is configured), snort may log something if it sees outbound traffic that matches a definition/rule. For example, you've dropped a payload on your victim that does a reverse shell back to your BT machine.
    If I could figure out how to scuba dive & hack at the same time, there would be nothing I couldn't do...

  6. #6
    Junior Member
    Join Date
    Jun 2011
    Posts
    43

    Default Re: How to trigger Snort

    i'll give that a shot tonight.. i'll make a snapshot of the xp machine this way i can roll back and repeat the test on the VM.

  7. #7
    Junior Member
    Join Date
    Jun 2011
    Posts
    43

    Default Re: How to trigger Snort

    Finally got it triggered... and working.. i have now disabled it. and just have the firewall up and running.. i have port 445 open in the firewall.. but the firewall continues to block metasploit ms08_67... I pull the VM off that firewall and metasploit ms08_67 owns the box right away... this isnt looking good... either this is a really good firewall and i can't own the box even though the port is open? i'll keep poking around but i'm gonna run out of time for my senior project

  8. #8
    Good friend of the forums scottm99's Avatar
    Join Date
    Feb 2010
    Location
    underwater
    Posts
    371

    Default Re: How to trigger Snort

    Glad to hear things are working for you If the port is open, it should be allowing all traffic both ways. Is there anything else running on the box that could be killing the payload?
    If I could figure out how to scuba dive & hack at the same time, there would be nothing I couldn't do...

  9. #9
    Junior Member
    Join Date
    Jun 2011
    Posts
    43

    Default Re: How to trigger Snort

    found out my big issue... I wasnt using a reverse connection... why would a reverse connection work and a regular connection be blocked by the firewall?

  10. #10
    Member
    Join Date
    Jan 2011
    Posts
    63

    Default Re: How to trigger Snort

    I am not familiar with snort, but wouldn't a reverse payload work because the firewall isn't going to block a connection that an internal computer requests but the firewall would block a connection that the attacking machine initiates?
    Improvise. Adapt. Overcome.

Page 1 of 3 123 LastLast

Similar Threads

  1. update Snort
    By joker5bb in forum Tool Requests
    Replies: 0
    Last Post: 11-25-2010, 09:01 PM
  2. Snort Question
    By hedgehog8711 in forum Beginners Forum
    Replies: 3
    Last Post: 02-11-2010, 09:49 AM
  3. Snort too
    By nexus2021 in forum OLD BT4 Feature Requests
    Replies: 0
    Last Post: 03-02-2009, 07:38 PM
  4. Snort
    By nysingh in forum OLD BT3beta General
    Replies: 4
    Last Post: 01-01-2008, 07:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •