Results 1 to 7 of 7

Thread: Autopwn against snort problems

  1. #1
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    10

    Default Autopwn against snort problems

    1. I have a VM of Linux based Snort running in my lab.
    2. On one workstation I am using the BT2 CD.
    3. Then I have the host XP box running the VM of snort.

    I can "db_nmap xxx.xxx.xxx.xx1" which is the XP host for the VM no problem.

    I can not get "db_nmap xxx.xxx.xxx.xx2" which is the snort VM to work. It just sits there. And because of this when I run the "db_autopwn -p -t -e" it will not target the xxx.xxx.xxx.xx2 snort VM. NOTE - This works and retargets the XP host with no problems.

    If I run a "nmap -v -A -T4 xxx.xxx.xxx.xx2" against snort, I get the OS, the ports, etc. AND snort registers the alerts.



    What step am I missing here to make autopwn target a Snort VM machine?


    My thoughts... since snort usually puts the nic in stealth mode, db_nmap is having issues targeting it, but that doesn't explain the nmap -A stuff from above.

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by JamesN View Post
    1. I have a VM of Linux based Snort running in my lab.
    2. On one workstation I am using the BT2 CD.
    3. Then I have the host XP box running the VM of snort.

    I can "db_nmap xxx.xxx.xxx.xx1" which is the XP host for the VM no problem.

    I can not get "db_nmap xxx.xxx.xxx.xx2" which is the snort VM to work. It just sits there. And because of this when I run the "db_autopwn -p -t -e" it will not target the xxx.xxx.xxx.xx2 snort VM. NOTE - This works and retargets the XP host with no problems.

    If I run a "nmap -v -A -T4 xxx.xxx.xxx.xx2" against snort, I get the OS, the ports, etc. AND snort registers the alerts.



    What step am I missing here to make autopwn target a Snort VM machine?


    My thoughts... since snort usually puts the nic in stealth mode, db_nmap is having issues targeting it, but that doesn't explain the nmap -A stuff from above.
    A proper Snort installation should nod have an IP address assigned to the sensor NIC.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    10

    Default

    Thankyou for the quick reply. The snort install is another issue. Why can't I target autopwn to that IP address?

    On a side note, is there a snort hardening white paper floating around here?

  4. #4
    Member The_Denv's Avatar
    Join Date
    Nov 2006
    Posts
    364

    Default

    Quote Originally Posted by JamesN View Post
    Thankyou for the quick reply. The snort install is another issue. Why can't I target autopwn to that IP address?

    On a side note, is there a snort hardening white paper floating around here?
    As streaker said, if you installed Snort properly it should not have an IP address. If it had an IP address it would be detected to outsiders. Your Snort box is not meant to be seen; i.e: no IP address...you do have it connected to your switch and passive tap/hub right?

    Snort papers, try this Google search :

    Google Search

    EDIT: If you look in the General IT thread you should find a thread discussing Snort....search

  5. #5
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    10

    Default

    again, snort lab setup aside...

    why can I nmap the ip address nmap -v -A xxxx, but when I do a db_nmap xxxxxx I get nothing?

  6. #6
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Seems like a problem with your database setup.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  7. #7
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    10

    Default

    Thanks. I redid it all from scratch again for the Nth time and it worked. Not sure why it would not work before. Now to harden that test snort box.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •