Snort mailing list archives
Re: Configuration HELP! (understanding alerts and proxies)
From: matt <mkettler () evi-inc com>
Date: Wed, 12 Jun 2002 17:08:11 -0400
This indicates that the machine xx.xx.xx.243 contacted (or attempted to at least) a socks proxy server on the xx.xx.xx.77 machine.
THIS COULD BE NORMAL.If your network is set up such that you use a proxy server for your internet connection.. well.. then yes.. you've detected something normal. This kind of connection is generally only of concern when someone outside your network tries to connect to a proxy server inside it.
Correct your definition of HOME_NET to only include machines under your control, and exclude those owned by your ISP to prevent such false alarms. Or configure EXTERNAL_NET to be !$HOME_NET instead of any.
At 10:18 AM 6/12/2002 -1000, Jason Martin wrote:
Hello: Configuration: Snort WIN32 1.8 port on a Win2k Pro. Running snort from the command line: Snort -dev -c snort.conf Below is a snippet of my config file. I tried to set my variables so that only my PC would be considered "home" and snort would treat all other packets as being external. However, Snort is not logging IDS alerts except for activity from my machine (var HOME_NET). If I scan Snort machine from a test machine it detects nothing. As soon as I scan the test machine with my Snort machine, Snort lights up. To alleviate this problem I placed my IP address in the preprocessor portscan-ignorehosts section, that didn't work either. It is still alarming off of traffic sent from my PC. I must have mis-configured something and was hoping someone could shed some light on the situation. I've also noticed that any trigger events that do happen to be logged, all show traffic flow coming from my machine. **] [1:615:3] SCAN SOCKS Proxy attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 06/10-11:40:24.538093 x.x.x.243:1282 -> x.x.x.77:1080 TCP TTL:128 TOS:0x0 ID:22013 IpLen:20 DgmLen:48 DF ******S* Seq: 0xDA7C045C Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK [Xref => http://help.undernet.org/proxyscan/ <http://help.undernet.org/proxyscan/> ] The x.x.x.77 machine is the machine that was scanning me, but the traffic flow shows my machine responding to the proxy scan, it did not create an event showing a scan coming from the scanning machine. When I look at this, it makes me think I was scanning x.x.x.77. Or, am I just misunderstanding the log? Thanks in advance for any help. ~Jason =========================== var HOME_NET x.x.x.243/32 var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET var RULE_PATH /rules preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $EXTERNAL_NET 2 1 portscan.log preprocessor portscan-ignorehosts: $HOME_NET Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Configuration HELP! Jason Martin (Jun 12)
- Re: Configuration HELP! (understanding alerts and proxies) matt (Jun 12)