RE: Snort Config W2K

[Steven Williams <Steven.Williams () computershare com au>]

Hi Michael,

 

Love the site and forum, keep up the good work. 

 

Here is my config;

 

preprocessor frag2

preprocessor stream4: detect_scans, disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

preprocessor rpc_decode: 111 32771

preprocessor bo: -nobrute

preprocessor telnet_decode

preprocessor asn1_decode

preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000

preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 3,
port_limit 5, timeout 120

output database: log, mysql, user=XXXX dbname=XXXX host=XXXXX
sensor_name=XXXXXX

output alert_syslog: LOG_AUTH LOG_ALERT 

 

I am running this as a service using Firedaemon, the command line executed
is d:\snort\snort.exe -c d:\snort\snort.conf -l d:\snort\logs -i1

 

Should I add the comments to the preprocessor portscan line, and will this
then log portscans into the Mysql database?

 

I know the portscans are being detected because it fills my W2K Event Logs
full of notifications.

 

Thanks in advance

 

Steve

 

 

Steve Williams

Communications Support Engineer

Computershare Technology Services

Melbourne Australia

steven.williams () computershare com au
<mailto:steven.williams () computershare com au> 

+61 3 9235 5651

 

www.computershare.com <http://www.computershare.com> 

 

 

 

-----Original Message-----
From: Michael Steele [mailto:michaels () winsnort com] 
Sent: Monday, June 02, 2003 2:15 PM
To: 'Steven Williams'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Config W2K

 

Steven,

 

Have you got this line in your snort.conf?

 

preprocessor portscan: $HOME_NET 4 3 d:/IDS/Snort/log/portscan.log

 

Make sure the path exists

 

What is your run line?

 

Are you running it with the '-A fast' ?

 

Have you tried running a vulnerability scanner on your network?

 

Have you got any data in the portscan.log file?

Cheers...

-Michael Steele
--
 System Engineer / Security Support Technician    
 mailto:michaels () winsnort com <mailto:michaels () winsnort com>    
 Website: http://www.winsnort.com <http://www.winsnort.com> 
 Snort: Open Source Network IDS - http://www.snort.org
<http://www.snort.org> 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Steven
Williams
Sent: Sunday, June 01, 2003 8:04 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort Config W2K

 

Hi,

 

I have Snort 2.0 running on W2K and works great.

 

However, any portscans detected and logged into the event log and not the
MySQL database. All the other alerts log into Mysql fine.

 

What am I doing wrong?

 

Thanks

 

Steve

 

Steve Williams

Communications Support Engineer

Computershare Technology Services

Melbourne Australia

 <mailto:steven.williams () computershare com au>
steven.williams () computershare com au

+61 3 9235 5651

 

 <http://www.computershare.com> www.computershare.com

 

 

 

 



---
This email and any files transmitted with it are solely intended for the use
of the addressee(s) and may contain information that is confidential and
privileged. If you receive this email in error, please advise us by return
email immediately. Please also disregard the contents of the email, delete
it and destroy any copies immediately.
Computershare Limited and its subsidiaries do not accept liability for the
views expressed in the email or for the consequences of any computer viruses
that may be transmitted with this email.
This email is also subject to copyright. No part of it should be reproduced,
adapted or transmitted without the written consent of the copyright owner.



---
This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain 
information that is confidential and privileged.  If you receive this email in error, please advise us by return email 
immediately.  Please also disregard the contents of the email, delete it and destroy any copies immediately.
Computershare Limited and its subsidiaries do not accept liability for the views expressed in the email or for the 
consequences of any computer viruses that may be transmitted with this email.
This email is also subject to copyright.  No part of it should be reproduced, adapted or transmitted without the 
written consent of the copyright owner.