Recently I stumbled across Snorby, an excellent easy to use implementation of Snort.
It is a new web interface for Snort that is very pretty, but also simple. An excellent introduction to Intrusion Detection Systems, that is not going to scare anyone away.
Now how to I get hold of this I hear you cry.... head over here and grab the preconfigured security appliance.
I downloaded the iso, fired up a virtualbox machine and away it went. Seriously a working Snort install in under 10mins. Nice!
Obviously you want to test your snort, so I fired off an nmap scan with the script option against my Windows XP SP2 test machine.
# nmap -sC 192.168.56.101 Starting Nmap 5.30BETA1 ( https://nmap.org ) at 2010-06-02 10:19 EST Nmap scan report for 192.168.56.101 Host is up (0.0032s latency). Not shown: 997 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 08:22:22:22:22:22 Host script results: |_nbstat: NetBIOS name: ASDF, NetBIOS user:, NetBIOS MAC: 22:22:22:22:22:22 | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | Name: WORKGROUP\ASDF |_ System time: 2010-06-02 10:19:58 UTC-7 |_smbv2-enabled: Server doesn't support SMBv2 protocol Nmap done: 1 IP address (1 host up) scanned in 12.09 seconds
Snorby showed me some nice port scan alerts (see image)
Now I was running through my guide to Metasploit 3.4.0 and figured I would see something in Snorby. As shown in the guide I successfully ran metasploit with ms08_067 exploit using a meterpreter payload and a vnc dll injection payload. Gaining full access to the Windows XP SP2 machine.
Snorby (and Snort) results show nothing.
Hmm, Snorby is running with up to date rules from emerging threats and snort. I was quite surprised and will be looking into the reasons for this in the near future. I would have thought I would have triggered something in the snort rules during this exploit.