Snort mailing list archives
Honeynet Project - Update to our snort.conf
From: Lance Spitzner <lance () honeynet org>
Date: Fri, 1 Mar 2002 14:22:42 -0600 (CST)
The Honeynet Project has made a change to its standard snort.conf configuration file. The snort.conf file posted on the Honeynet website (now updated) http://project.honeynet.org/papers/honeynet/snort.conf had a flaw and could fail to log non-standard IP protocols. Team member Michael Clark discovered this when one of his Honeynets was compromised. This is a problem with our configuration of the snort.conf file and has NOTHING to do with Snort itself. In the past, we logged network traffic as follows: # Logging tcp log tcp any any <> $HOME_NET any (msg: "Unmatched TCP";session: printable;) # Logging udp log udp any any <> $HOME_NET any (msg: "Unmatched UDP";session: printable;) # Logging icmp log icmp any any <> $HOME_NET any (msg: "Unmatched ICMP";session: printable;) There is a MAJOR flaw with this logging configuration, it ASSUMES the bad guys will ONLY use TCP/UDP/ICMP. There are MANY other IP protocols that can and are actively being used. As such, these log entries have now been replaced with this single entry, which logs ALL IP traffic. log ip any any <> $HOME_NET any (msg: "Snort Unmatched"; session: printable;) As usual, its the simple, obvious things that kick you in the butt. I've been screwing this up for years, and Michael found it within a month of deploying his Honeynet. Dooh! :-0 -- Lance Spitzner http://project.honeynet.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Honeynet Project - Update to our snort.conf Lance Spitzner (Mar 01)