Snort mailing list archives
RE: Snort Config W2K
From: Steven Williams <Steven.Williams () computershare com au>
Date: Mon, 2 Jun 2003 16:48:41 +1000
Hi Michael, Love the site and forum, keep up the good work. Here is my config; preprocessor frag2 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor asn1_decode preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000 preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 3, port_limit 5, timeout 120 output database: log, mysql, user=XXXX dbname=XXXX host=XXXXX sensor_name=XXXXXX output alert_syslog: LOG_AUTH LOG_ALERT I am running this as a service using Firedaemon, the command line executed is d:\snort\snort.exe -c d:\snort\snort.conf -l d:\snort\logs -i1 Should I add the comments to the preprocessor portscan line, and will this then log portscans into the Mysql database? I know the portscans are being detected because it fills my W2K Event Logs full of notifications. Thanks in advance Steve Steve Williams Communications Support Engineer Computershare Technology Services Melbourne Australia steven.williams () computershare com au <mailto:steven.williams () computershare com au> +61 3 9235 5651 www.computershare.com <http://www.computershare.com> -----Original Message----- From: Michael Steele [mailto:michaels () winsnort com] Sent: Monday, June 02, 2003 2:15 PM To: 'Steven Williams'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort Config W2K Steven, Have you got this line in your snort.conf? preprocessor portscan: $HOME_NET 4 3 d:/IDS/Snort/log/portscan.log Make sure the path exists What is your run line? Are you running it with the '-A fast' ? Have you tried running a vulnerability scanner on your network? Have you got any data in the portscan.log file? Cheers... -Michael Steele -- System Engineer / Security Support Technician mailto:michaels () winsnort com <mailto:michaels () winsnort com> Website: http://www.winsnort.com <http://www.winsnort.com> Snort: Open Source Network IDS - http://www.snort.org <http://www.snort.org> -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Steven Williams Sent: Sunday, June 01, 2003 8:04 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort Config W2K Hi, I have Snort 2.0 running on W2K and works great. However, any portscans detected and logged into the event log and not the MySQL database. All the other alerts log into Mysql fine. What am I doing wrong? Thanks Steve Steve Williams Communications Support Engineer Computershare Technology Services Melbourne Australia <mailto:steven.williams () computershare com au> steven.williams () computershare com au +61 3 9235 5651 <http://www.computershare.com> www.computershare.com --- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Computershare Limited and its subsidiaries do not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. --- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Computershare Limited and its subsidiaries do not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner.
Current thread:
- Snort Config W2K Steven Williams (Jun 01)
- RE: Snort Config W2K Michael Steele (Jun 01)
- <Possible follow-ups>
- RE: Snort Config W2K Steven Williams (Jun 02)
- RE: Snort Config W2K Michael Steele (Jun 02)
- RE: Snort Config W2K L. Christopher Luther (Jun 02)