Snort mailing list archives

Re: Questions after 1.9.1 install

From: Chris Green <cmg () sourcefire com>
Date: Fri, 21 Mar 2003 09:56:28 -0500

John Sage <jsage () finchhaven com> writes:

Hello all. Long time no post..

Finally put 1.9.1 on after rebuilding my firewall to get into the
2.4.18 Linux kernel series, and have I got questions :-/


I'll assume these are questions :)


First of all, the tcpdump logfile is timestamped in UNIX time:

901956 Mar 12 20:31 snort.log.1047528578


Yes, that was changed if you are coming from 1.8.x

Second, this rule is firing:

alert tcp $EXTERNAL_NET 1025:4320 -> $HOME_NET any (msg:"TCP inbound \
from range 1025-4320";)

but this one isn't:

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"TCP inbound to 445 \
Win2k SMB";)

even though I would think that the RTN list would check a specific
port before a port list..


Not necessarily. It's rule ordering.  Put the 445 one first in your
config file and see what happens.


Here's the alert itself:

[**] [1:0:0] TCP inbound from range 1025-4320 [**]
[Priority: 0]
03/13/03-20:24:48.401161 209.181.67.217:3195 -> 12.82.133.46:445
<snip>



And thirdly, I'm getting mass these sorts of things:

[**] [117:1:1] (spp_portscan2) Portscan detected from 12.82.133.46:
6 targets 6 ports in 5 seconds [**]
03/13/03-20:09:52.818983 12.82.133.46:1034 -> 198.133.199.110:53


Portscan2 has a few config options but I Forget what they
are.. Perhaps someone else can answer that.

-- 
Chris Green <cmg () sourcefire com>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Questions after 1.9.1 install John Sage (Mar 14)
- Re: Questions after 1.9.1 install Alberto Gonzalez (Mar 14)
  - Re: Questions after 1.9.1 install John Sage (Mar 15)
    - Re: Questions after 1.9.1 install Alberto Gonzalez (Mar 15)
- Re: Questions after 1.9.1 install Erek Adams (Mar 15)
  - Re: Questions after 1.9.1 install John Sage (Mar 15)
    - Re: Questions after 1.9.1 install Erek Adams (Mar 15)
- Re: Questions after 1.9.1 install Chris Green (Mar 21)