Snort mailing list archives
RE: Help with a config file please?
From: snort () xiata com
Date: Fri, 4 Apr 2003 18:22:06 -0500 (EST)
Ok here is the output of snort -v W (this is exactly as it appears in the command prompt I am not sure why interface 1 has 2 spaces before the \Device call and interface 2 only has 1 such space). C:\Snort\bin>snort -v -W -*> Snort! <*- Version 1.9.1-ODBC-MySQL-WIN32 (Build 231) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8-1.9 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) Interface Device Description ------------------------------------------- 1 \Device\NPF_{08C75D44-F35D-4120-84F5-F594F8590373} (Intel(R) PRO Adapter) 2 \Device\NPF_{E9AC5F02-E2A8-487B-B667-F79762A9DF92} (3Com EtherLink PCI) Now Interface 1 is bound to IP address 1.2.3.190 that subnet has a mask of /28 Eventually I will care about the whole subnet because servers/services will go up on them but right now the only active IP on that subnet is the snort device. Now I also care about 5.6.7.0/24 because in that subnet I have 3 IP addresses that are active (.155, .156 and .157). I will eventually narrow the scope of HOME_NET down to [1.2.3.190/28,5.6.7.155/32,5.6.7.156/32,5.6.7.157/32] So that leaves interface 2 with just a connection to the hub. Interface 2 has no protocols bound to it with the intent of having a port that just sits there and listens to traffic. When I run snort v i2 I see all sorts of stuff streaming in the window it goes way too fast (BTW thanks for the info about snort following BFP like windump Ill use that to narrow things down this weekend.). This is all being fed from a connection to the internet via a Cisco Aironet wireless radio (out connection to the internet is wireless). The Ethernet port of that radio goes into a simple 5 port hub. Both of the snort device interfaces are connected to this hub and so is the firewall that houses the servers that are running on 5.6.7.155/32,5.6.7.156/32,5.6.7.157/32. This will change this weekend when I put them on a Cisco switch and I will be configuring the switch to span all ports that are active on the internet to the port that interface 2 is connected to. Now when I send a Syn scan from nmap on a foreign system (in other words this is for one of out clients and I am running nmap from my office) I eventually registered 1 of the dozen or so scans I sent the way of the snort device. It caught nothing on the scans that I sent to 5.6.7.157. I will post any differences I might see when I move this to the switch. Carlos
I guess I need to better understand the net config to which your interfaceless NIC is attached and the net config where the ACID console is attached. Are you switched? Have you used a tap? How exactly is it that Snort can see all of the traffic? Your snort.conf specifies two net blocks as your HOME_NET (var HOME_NET [1.2.3.190/28,5.6.7.0/24]). Which net block is Snort listening on? Which net block contains the other IP devices you're trying to watch? You also stated "I am now able to see portscans going to the IP address of the snort device", but you also said that the second NIC in the Snort device is interface-less. So what other details can you give us? It sounds like something in the net config is not matching up. - Christopher P.S. As a FYI, Snort understands BFP filters in the same way that WinDump does.
------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with a config file please? snort (Apr 03)
- <Possible follow-ups>
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 08)