Snort mailing list archives
Re: Configuration issue, Part II
From: John Sage <jsage () finchhaven com>
Date: Tue, 25 Sep 2001 05:25:15 -0700
Bob: Bob Hillegas wrote:
John, I too use a dialup ppp connection on a firwall/IDS box. But I see less than one percent of traffic and rarely see any packets that IPChains logs, and I do log every DENY, REJECT.
Remember that you may have to tell snort to look at what you want to see; I'm logging or alerting on *everything* via my own rules..
You showed your command line. Do you mind sharing your 'cat snort.conf | grep -v ^# | grep -v ^$'?
Here you go: var HOME_NET $ppp0_ADDRESS var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET preprocessor frag2 preprocessor stream4: detect_scans, detect_state_problems preprocessor stream4_reassemble: ports all preprocessor unidecode: 80 preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log output alert_syslog: LOG_DAEMON LOG_ALERT output alert_full: /var/log/snort/alertREL.full include classification.configalert tcp 127.0.0.0/8 any -> $HOME_NET any (msg: "Alert: tcp from 127 block";) alert udp 127.0.0.0/8 any -> $HOME_NET any (msg: "Alert: udp from 127 block";) alert icmp 127.0.0.0/8 any -> $HOME_NET any (msg: "Alert: icmp from 127 block";)
alert tcp 192.168.0.0/16 any -> $HOME_NET any (msg: "Alert: tcp from 192-168 block";) alert udp 192.168.0.0/16 any -> $HOME_NET any (msg: "Alert: udp from 192-168 block";) alert icmp 192.168.0.0/16 any -> $HOME_NET any (msg: "Alert: icmp from 192-168 block";)
alert tcp 10.0.0.0/8 any -> $HOME_NET any (msg: "Alert: tcp from 10 block";) alert udp 10.0.0.0/8 any -> $HOME_NET any (msg: "Alert: udp from 10 block";)alert icmp 10.0.0.0/8 any -> $HOME_NET any (msg: "Alert: icmp from 10 block";)
alert tcp 172.16.0.0/12 any -> $HOME_NET any (msg: "Alert: tcp from 172-[16-31] block";) alert udp 172.16.0.0/12 any -> $HOME_NET any (msg: "Alert: udp from 172-[16-31] block";) alert icmp 172.16.0.0/12 any -> $HOME_NET any (msg: "Alert: icmp from 172.[16-31] block";)
include /usr/local/snort-1.8.1-RELEASE/tcpREL-local-lib include /usr/local/snort-1.8.1-RELEASE/udpREL-local-lib include /usr/local/snort-1.8.1-RELEASE/icmpREL-local-lib OK: so what's going on with the last?Again, what I'm doing is -b binary logging *everything* via my own rules; later on I run the logs against more conventional snort rules for analysis with a couple aliases:
alias snort18view='snort18 -dv -i ppp0 -P 2000 -r ' andalias snort18check='snort18 -dv -i ppp0 -l . -P 2000 -c /usr/local/snort-1.8.1-beta4/snort18check.conf -r '
that are in my .bashrc (heh.. and which I can see I need to update to RELEASE ;-)
My /usr/local/snort-1.8.1-RELEASE/*REL-local-lib rules files look something like this:
<snip> # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"TCP to 110 pop3";) log tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"TCP from 110 pop3";) # alert to, log from # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"TCP to 111 sunrpc";) alert tcp $EXTERNAL_NET 111 -> $HOME_NET any (msg:"TCP from 111 sunrpc";) # tcp only: alert to, log from <snip>So for all ports, I'm either logging or alerting, either on specific ports (as above..) or on port ranges as below:
<snip> #log tcp $EXTERNAL_NET any -> $HOME_NET 61000:65095 (msg:"TCP to masq range";) alert tcp $EXTERNAL_NET 61000:65095 -> $HOME_NET any (msg:"TCP from masq range";)
# alert from until we see some, log to always #alert tcp $EXTERNAL_NET any -> $HOME_NET 65096:65535 (msg:"TCP beyond masq";) alert tcp $EXTERNAL_NET 65096:65535 -> $HOME_NET any (msg:"TCP beyond masq";)
# alert from until we see some, alert to always # <snip>So this makes sure that snort is either logging or alerting on *every* packet (heh.. tcp, udp or icmp anyway..) that comes in.
HTH.. - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Configuration issue, Part II Bob Hillegas (Sep 24)
- Re: Configuration issue, Part II John Sage (Sep 25)