RE: Help with a config file please?

["L. Christopher Luther" <CLuther () Xybernaut com>]

Carlos, 

Let me try to translate my interpretation of your net config:  You want to
place the NIDS between the Internet connection and the firewall.  Yes?  If
so, then if you really desire a stealth NIDS, then the interface 1 (I1)
shouldn't be plugged into the promiscuous hub.  I1 should be "dropped" into
your LAN, behind the firewall.  A minor point, but one to remember down the
road.  

Actually, something just rung a bell as I'm writing this.  I have two
Sensors: one WinNT4 w/ Snort 1.9.0 and WinPCap 2.2, and one Win2K w/ Snort
1.8.7 and WinPCap 2.3.  Originally, both sensors were Snort 1.8.7, but when
I attempted to upgrade the Win2K sensor to 1.9.0, I couldn't get 1.9.0 to
alert to any traffic.  [kick, kick, kick...]  Check out this post:  

    http://marc.theaimsgroup.com/?l=snort-users&m=104731745710804&w=2

I never got an answer to my problem, hence the Win2K sensor is still at
1.8.7.  Maybe you're a victim too...  

Let us know what happens when you drop the switch in place.  

- Christopher 


-----Original Message-----
From: snort () xiata com [mailto:snort () xiata com]
Sent: Friday, April 04, 2003 6:22 PM
To: L. Christopher Luther
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] Help with a config file please?


Ok here is the output of snort -v -W (this is exactly as it appears in the
command prompt - I am not sure why interface 1 has 2 spaces before the
\Device call and interface 2 only has 1 such space).

C:\Snort\bin>snort -v -W

-*> Snort! <*-
Version 1.9.1-ODBC-MySQL-WIN32 (Build 231)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8-1.9 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)

Interface       Device          Description
-------------------------------------------
1  \Device\NPF_{08C75D44-F35D-4120-84F5-F594F8590373} (Intel(R) PRO Adapter)
2 \Device\NPF_{E9AC5F02-E2A8-487B-B667-F79762A9DF92} (3Com EtherLink PCI)


Now - Interface 1 is bound to IP address 1.2.3.190 that subnet has a mask
of /28 - Eventually I will care about the whole subnet because
servers/services will go up on them but right now the only active IP on
that subnet is the snort device. Now I also care about 5.6.7.0/24 because
in that subnet I have 3 IP addresses that are active (.155, .156 and
.157). I will eventually narrow the scope of HOME_NET down to
[1.2.3.190/28,5.6.7.155/32,5.6.7.156/32,5.6.7.157/32]
So that leaves interface 2 with just a connection to the hub. Interface 2
has no protocols bound to it with the intent of having a port that just
sits there and listens to traffic. When I run snort -v -i2 I see all sorts
of stuff streaming in the window - it goes way too fast (BTW thanks for
the info about snort following BFP like windump I'll use that to narrow
things down this weekend.).

This is all being fed from a connection to the internet via a Cisco
Aironet wireless radio (out connection to the internet is wireless). The
Ethernet port of that radio goes into a simple 5 port hub. Both of the
snort device interfaces are connected to this hub and so is the firewall
that houses the servers that are running on
5.6.7.155/32,5.6.7.156/32,5.6.7.157/32. This will change this weekend when
I put them on a Cisco switch and I will be configuring the switch to span
all ports that are active on the internet to the port that interface 2 is
connected to.

Now when I send a Syn scan from nmap on a foreign system (in other words
this is for one of out clients and I am running nmap from my office) I
eventually registered 1 of the dozen or so scans I sent the way of the
snort device. It caught nothing on the scans that I sent to 5.6.7.157.

I will post any differences I might see when I move this to the switch.


Carlos

> I guess I need to better understand the net config to which your
> interfaceless NIC is attached and the net config where the ACID console is
> attached.  Are you switched?  Have you used a tap?  How exactly is it that
> Snort can see all of the traffic?
>
> Your snort.conf specifies two net blocks as your HOME_NET (var HOME_NET
> [1.2.3.190/28,5.6.7.0/24]).  Which net block is Snort listening on?  Which
> net block contains the other IP devices you're trying to watch?
>
> You also stated "I am now able to see portscans going to the IP address of
> the snort device", but you also said that the second NIC in the Snort
> device
> is interface-less.
>
> So what other details can you give us?  It sounds like something in the
> net
> config is not matching up.
>
>
> - Christopher
>
> P.S. As a FYI, Snort understands BFP filters in the same way that WinDump
> does.