Snort mailing list archives

Previous By Date Next
Previous By Thread Next

win2k/snort and weird output

From: "Rommel, Florian" <Florian.Rommel () quartal com>
Date: Thu, 7 Mar 2002 16:28:24 +0200
Hi all, i run snort on all our web/sql servers that have win2k and on all of them it works fine except 2 of them.
Those 2 are running an application level cluster (in house coded) and Apache together with Resin.
they both have 2 IPs on interface 1,
the snort.conf is here at the bottom that i use.
I then use Demarc to see the alerts from the databases, and i double checked in the mysql database but code red 
requests do not get logged with the source Ip that they actually came from (as recorded in the access.log in apache) 
they get as the source IP the 1st IP of the interface and as a destination IP the second ip and that gets logged!!!
Like i said in other servers (running IIS etc) it works well and all attempts get logged withthe REAL source IP and 
with the destination IP it was meant for.


What to do?...

here's my snort.conf of one of the 2 servers, they are both the same except the idsname and the username/passwd ..

any help would be appreciated.

//Florian

ps: the snort.exe is the same as on all other servers.



var HOME_NET 192.168.2.0/24
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS any
var SQL_SERVERS [192.168.1.12,192.168.1.14,192.168.1.16]
var DNS_SERVERS [192.168.1.2,192.168.1.3]

preprocessor frag2
#preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 15 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS $SQL_SERVERS

output database: log, mysql, user=ids-clust1 dbname=snort host=192.168.1.55 password=XXXX sensor_name=IDS-CLUST1
output database: alert, mysql, user=ids-clust1 dbname=snort host=192.168.1.55 password=XXXX sensor_name=IDS-CLUST1

include classification.config
include bad-traffic.rules
include dos.rules
include ddos.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include web-attacks.rules
include sql.rules
include backdoor.rules

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: