• Subscribe to the low volume list for updates.

Metasploit vs Snort as Snorby

Recently I stumbled acorss Snorby, an excellent easy to use implementation of Snort.

It is a new web interface for Snort that is very pretty, but also simple. An excellent introduction to Intrusion Detection Systems, that is not going to scare anyone away.

Now how to I get hold of this I hear you cry.... head over here and grab the preconfigured security appliance.

I downloaded the iso, fired up a virtualbox machine and away it went. Seriously a working Snort install in under 10mins. Nice!

Obviously you want to test your snort, so I fired off an nmap scan with the script option against my Windows XP SP2 test machine.

# nmap -sC

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-06-02 10:19 EST
Nmap scan report for
Host is up (0.0032s latency).
Not shown: 997 closed ports
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:22:22:22:22:22 

Host script results:
|_nbstat: NetBIOS name: ASDF, NetBIOS user: , NetBIOS MAC: 22:22:22:22:22:22
| smb-os-discovery:  
|   OS: Windows XP (Windows 2000 LAN Manager)
|_  System time: 2010-06-02 10:19:58 UTC-7
|_smbv2-enabled: Server doesn't support SMBv2 protocol

Nmap done: 1 IP address (1 host up) scanned in 12.09 seconds

Snorby showed me some nice port scan alerts (see image)

Now I was running through my guide to Metasploit 3.4.0 and figured I would see something in Snorby. As shown in the guide I successfully ran metasploit with ms08_067 exploit using a meterpreter payload and a vnc dll injection payload. Gaining full access to the Windows XP SP2 machine.

Snorby (and Snort) results show nothing.

Hmm, Snorby is running with up to date rules from emerging threats and snort. I was quite surprised and will be looking into the reasons for this in the near future. I would have thought I would have triggered something in the snort rules during this exploit.

1 Comment

  • Jay
    I don't think the problem is Snorby since it only picks the alerts generated by Snort. Probably the rules or configuration as to what to alert to are to blame ;-)