Re: Something I don't understand...

[John Sage <jsage () finchhaven com>]

Bob:

Quick thought:

Bob Hillegas wrote:

> I am running snort Version 1.8.1-RELEASE (Build 74) on RH7.1.
> Snort is started using the command line:
> snort -i ppp0 -u snort -g snort -z est -c /etc/snort/snort.conf -D


How does the interface ppp0 match up with running in -D daemon mode?

What I'm wondering is, is your ppp link eternal, and the IP never-changing?

If your ppp link comes up and down like mine (I'm a dialup..) and you 
have a dynamic IP, how does snort running in daemon mode know that a new 
IP address has been assigned without snort restarting?


> The snort.conf rule set is v 1.62 2001/08/12.
> The snort.conf (without comments) is appended below.
>
> I am connected to the internet using ppp0 over a 56K modem. I use ipchains
> to DENY everything but ports 25, 110, 80 (squid), 53, and ICMP.



Not to digress into ipchains/ports philosophy, but are you offering 
services to the outside world such that people need to connect to you on 
25, 110, 53 and 80?

Are you offering nameservice to the outside world, for example?

Just wondering...

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


> I log all DENY packets and get dozens of DENY packets daily, most of which
> lately have been directed to port 80.
>
> Snort registers none of this. It has only registered random ICMP traffic,
> about 20 packets over the last three weeks.
>
> As a comparison, I started tcpdump as follows:
> tcpdump -eflS -nn -vv -i ppp0 &> tcpdump.fil &
> This file contains all of the packets that got logged as DENY'd by
> ipchains, and in comparison, snort logged nothing to syslog, nothing to
> the database, nothing to the binary file.
>
> Is there something very basic I am missing or is this a problem with my
> setup?
>
> Thanks to anyone who takes time to comment. BobH
>
> --- snip ---
> var HOME_NET $ppp0_ADDRESS
> var EXTERNAL_NET !$HOME_NET
> var SMTP $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
>
> var DNS_SERVERS $HOME_NET
> preprocessor frag2
> preprocessor stream4: detect_scans
> preprocessor stream4_reassemble
> preprocessor http_decode: 80
> preprocessor rpc_decode: 111
> preprocessor bo: -nobrute
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> output alert_syslog: LOG_AUTH LOG_ALERT
> output log_tcpdump: snort.log
> output database: alert, mysql, dbname=snort user=snort password=snort host=localhost
> include classification.config
> include exploit.rules
> include scan.rules
> include finger.rules
> include ftp.rules
> include telnet.rules
> include smtp.rules
> include rpc.rules
> include rservices.rules
> include backdoor.rules
> include dos.rules
> include ddos.rules
> include dns.rules
> include netbios.rules
> include web-cgi.rules
> include web-coldfusion.rules
> include web-frontpage.rules
> include web-iis.rules
> include web-misc.rules
> include sql.rules
> include x11.rules
> include icmp.rules
> include shellcode.rules
> include misc.rules
> include policy.rules
> include info.rules
> include icmp-info.rules
> include virus.rules
> include local.rules
> --- snip ---



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users