Snort mailing list archives
Re: Is this config. ok
From: Kenny D <bitored2002 () yahoo com au>
Date: Fri, 22 Feb 2002 02:37:10 +1100 (EST)
Mike, The variable is set to DNS hosts (i havent specified any). When i scan from inside i dont get any alerts. However i have a switched environment and all that is replicated to snort is traffic from the firewall destined for the inside therefore i would not expect an internal scan to work, unless i had hubs. Does this sound correct? When i changed by home network to any and port mirroring to receive and transmit and then do a scan i got alerts. So i proved snort works, correct? So to recap if i redirect incoming traffic on the firewalls inside interface to snort and dont get any alerts it means my firewall is doingt a good job because with the above we proved snort works. Again i really appreciate your help as i hope to put this into production soon, just want to make sure i have set things up correctly. --- Mike_Sands () elementk com wrote: >
no it should only ignore scans that are in the portscan-ignorehosts variable Mike Sands Security / Network Engineer Office: (585) 214-1936 Fax: (585) 295-7162 Cell: 716-303-3245 Element K 'the knowledge catalyst' www.elementk.com |--------+---------------------------------------> | | Kenny D | | | <bitored2002 () yahoo com au> | | | Sent by: | | | snort-users-admin@lists.sourc| | | eforge.net | | | | | | | | | 02/21/2002 09:27 AM | | | | |--------+---------------------------------------> ------------------------------------------------------------------------------------------------------------| | | | To: Mike_Sands () elementk com | | cc: snort users <snort-users () lists sourceforge net> | | | | Subject: Re: [Snort-users] Is this config. ok | ------------------------------------------------------------------------------------------------------------| If its setup right should it not ignore scans from the inside and only look from scans coming for the outside. Is that not the default way snort works? I set up my port mirroring for traffic that my inside interface recieves (ie going towards my inside private network). Thanks. --- Mike_Sands () elementk com wrote: >It looks right. you may be right that yourfirewallis doing a good job. As a test you could run a scan on the box directlyfroma machine that is behind the firewall. If snort alerts on the scan then things are probably good. Mike Sands Security / Network Engineer Office: (585) 214-1936 Fax: (585) 295-7162 Cell: 716-303-3245 Element K 'the knowledge catalyst' www.elementk.com Kenny D <bitored2002@yah To: Mike_Sands () elementk com oo.com.au> cc: snort users <snort-users () lists sourceforge net> 02/21/2002 07:28Subject:Re: [Snort-users] Is this config. ok AM Hi, By very quiet i mean no alerts whatsoever, iassumea). my router and firewall is doing a good or b).ihave do something wrong. When i an a rule for any traffic coming in i see plenty going on so maybe my config is ok. An external scna using superscan gave nothing. The snortoptionsi use are as follows c:\snort.exe -c c:\snort\snort.conf -h172.17.1.0/24-i 1 Does this all sound rerasonable, Appreciate your comments. --- Mike_Sands () elementk com wrote: >It sounds like you have everything set upcorrectly.By "very quiet" do you mean that there are no alerts at all? If you did some sort of nmap scan of the internal network I really should show up inyourportscan.log file. Just for Yuks you may want to try and set yourhomenetwork to 'any' and scan again. Also how are you running snort? What flags are you using on the command line? Mike Sands Security / Network Engineer Office: (585) 214-1936 Fax: (585) 295-7162 Cell: 716-303-3245 Element K 'the knowledge catalyst' www.elementk.com Kenny D <bitored2002 () yahoo com au> To: snort users <snort-users () lists sourceforge net> Sent by: cc:snort-users-admin@lists.sourceforge.net Subject: [Snort-users] Is this config.ok02/20/2002 12:02 PM
=== message truncated === http://movies.yahoo.com.au - Yahoo! Movies - Vote for your nominees in our online Oscars pool. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is this config. ok Kenny D (Feb 20)
- <Possible follow-ups>
- RE: Is this config. ok Wirth, Jeff (Feb 20)
- Re: Is this config. ok Kenny D (Feb 21)
- Re: Is this config. ok Kenny D (Feb 21)
- Re: Is this config. ok Mike_Sands (Feb 21)
- Re: Is this config. ok Kenny D (Feb 21)
- Re: Is this config. ok Kenny D (Feb 21)