Snort mailing list archives
Re: Something I don't understand...
From: John Sage <jsage () finchhaven com>
Date: Tue, 28 Aug 2001 09:54:06 -0700
Bob: Quick thought: Bob Hillegas wrote:
I am running snort Version 1.8.1-RELEASE (Build 74) on RH7.1. Snort is started using the command line: snort -i ppp0 -u snort -g snort -z est -c /etc/snort/snort.conf -D
How does the interface ppp0 match up with running in -D daemon mode? What I'm wondering is, is your ppp link eternal, and the IP never-changing?If your ppp link comes up and down like mine (I'm a dialup..) and you have a dynamic IP, how does snort running in daemon mode know that a new IP address has been assigned without snort restarting?
The snort.conf rule set is v 1.62 2001/08/12. The snort.conf (without comments) is appended below. I am connected to the internet using ppp0 over a 56K modem. I use ipchains to DENY everything but ports 25, 110, 80 (squid), 53, and ICMP.
Not to digress into ipchains/ports philosophy, but are you offering services to the outside world such that people need to connect to you on 25, 110, 53 and 80?
Are you offering nameservice to the outside world, for example? Just wondering... - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..."
I log all DENY packets and get dozens of DENY packets daily, most of which lately have been directed to port 80. Snort registers none of this. It has only registered random ICMP traffic, about 20 packets over the last three weeks. As a comparison, I started tcpdump as follows: tcpdump -eflS -nn -vv -i ppp0 &> tcpdump.fil & This file contains all of the packets that got logged as DENY'd by ipchains, and in comparison, snort logged nothing to syslog, nothing to the database, nothing to the binary file. Is there something very basic I am missing or is this a problem with my setup? Thanks to anyone who takes time to comment. BobH --- snip --- var HOME_NET $ppp0_ADDRESS var EXTERNAL_NET !$HOME_NET var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS output alert_syslog: LOG_AUTH LOG_ALERT output log_tcpdump: snort.log output database: alert, mysql, dbname=snort user=snort password=snort host=localhost include classification.config include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include backdoor.rules include dos.rules include ddos.rules include dns.rules include netbios.rules include web-cgi.rules include web-coldfusion.rules include web-frontpage.rules include web-iis.rules include web-misc.rules include sql.rules include x11.rules include icmp.rules include shellcode.rules include misc.rules include policy.rules include info.rules include icmp-info.rules include virus.rules include local.rules --- snip ---
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Something I don't understand... Bob Hillegas (Aug 27)
- Re: Something I don't understand... John Sage (Aug 28)
- Re: Something I don't understand... Bob Hillegas (Aug 28)
- Re: Something I don't understand... John Sage (Aug 28)
- Re: Something I don't understand... Bob Hillegas (Aug 28)
- Re: Something I don't understand... Bob Hillegas (Aug 28)
- Re: Something I don't understand... John Sage (Aug 28)