Configuration HELP!

[Jason Martin <jmartin () hhsc org>]

Hello:

Configuration:  Snort WIN32 1.8 port on a Win2k Pro.


Running snort from the command line:

Snort -dev -c snort.conf

Below is a snippet of my config file.

I tried to set my variables so that only my PC would be considered "home"
and snort would treat all other packets as being external.  However, Snort
is not logging IDS alerts except for activity from my machine (var
HOME_NET).  If I scan Snort machine from a test machine it detects nothing.
As soon as I scan the test machine with my Snort machine, Snort lights up.
To alleviate this problem I placed my IP address in the preprocessor
portscan-ignorehosts section, that didn't work either.  It is still alarming
off of traffic sent from my PC.

I must have mis-configured something and was hoping someone could shed some
light on the situation.

I've also noticed that any trigger events that do happen to be logged, all
show traffic flow coming from my machine.

**] [1:615:3] SCAN SOCKS Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/10-11:40:24.538093 x.x.x.243:1282 -> x.x.x.77:1080
TCP TTL:128 TOS:0x0 ID:22013 IpLen:20 DgmLen:48 DF
******S* Seq: 0xDA7C045C  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
[Xref => http://help.undernet.org/proxyscan/
<http://help.undernet.org/proxyscan/> ]

The x.x.x.77 machine is the machine that was scanning me, but the traffic
flow shows my machine responding to the proxy scan, it did not create an
event showing a scan coming from the scanning machine. When I look at this,
it makes me think I was scanning x.x.x.77. Or, am I just misunderstanding
the log?

Thanks in advance for any help.

~Jason



===========================
var HOME_NET x.x.x.243/32

var EXTERNAL_NET any

var SMTP $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET
 
var DNS_SERVERS $HOME_NET

var RULE_PATH /rules

preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $EXTERNAL_NET 2 1 portscan.log
preprocessor portscan-ignorehosts: $HOME_NET






Confidentiality Notice: 
This email message, including any attachments, is for the sole use of 
the intended recipient(s) and may contain confidential and privileged 
information.  Any unauthorized review, use, disclosure, or distribution 
is prohibited.  If you are not the intended recipient, please contact
the sender by reply e-mail and destroy all copies of the original message. 



_______________________________________________________________

Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users