Snort mailing list archives
RE: Help with a config file please?
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Fri, 4 Apr 2003 19:40:40 -0500
Carlos, Let me try to translate my interpretation of your net config: You want to place the NIDS between the Internet connection and the firewall. Yes? If so, then if you really desire a stealth NIDS, then the interface 1 (I1) shouldn't be plugged into the promiscuous hub. I1 should be "dropped" into your LAN, behind the firewall. A minor point, but one to remember down the road. Actually, something just rung a bell as I'm writing this. I have two Sensors: one WinNT4 w/ Snort 1.9.0 and WinPCap 2.2, and one Win2K w/ Snort 1.8.7 and WinPCap 2.3. Originally, both sensors were Snort 1.8.7, but when I attempted to upgrade the Win2K sensor to 1.9.0, I couldn't get 1.9.0 to alert to any traffic. [kick, kick, kick...] Check out this post: http://marc.theaimsgroup.com/?l=snort-users&m=104731745710804&w=2 I never got an answer to my problem, hence the Win2K sensor is still at 1.8.7. Maybe you're a victim too... Let us know what happens when you drop the switch in place. - Christopher -----Original Message----- From: snort () xiata com [mailto:snort () xiata com] Sent: Friday, April 04, 2003 6:22 PM To: L. Christopher Luther Cc: Snort-Users (E-mail) Subject: RE: [Snort-users] Help with a config file please? Ok here is the output of snort -v -W (this is exactly as it appears in the command prompt - I am not sure why interface 1 has 2 spaces before the \Device call and interface 2 only has 1 such space). C:\Snort\bin>snort -v -W -*> Snort! <*- Version 1.9.1-ODBC-MySQL-WIN32 (Build 231) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8-1.9 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) Interface Device Description ------------------------------------------- 1 \Device\NPF_{08C75D44-F35D-4120-84F5-F594F8590373} (Intel(R) PRO Adapter) 2 \Device\NPF_{E9AC5F02-E2A8-487B-B667-F79762A9DF92} (3Com EtherLink PCI) Now - Interface 1 is bound to IP address 1.2.3.190 that subnet has a mask of /28 - Eventually I will care about the whole subnet because servers/services will go up on them but right now the only active IP on that subnet is the snort device. Now I also care about 5.6.7.0/24 because in that subnet I have 3 IP addresses that are active (.155, .156 and .157). I will eventually narrow the scope of HOME_NET down to [1.2.3.190/28,5.6.7.155/32,5.6.7.156/32,5.6.7.157/32] So that leaves interface 2 with just a connection to the hub. Interface 2 has no protocols bound to it with the intent of having a port that just sits there and listens to traffic. When I run snort -v -i2 I see all sorts of stuff streaming in the window - it goes way too fast (BTW thanks for the info about snort following BFP like windump I'll use that to narrow things down this weekend.). This is all being fed from a connection to the internet via a Cisco Aironet wireless radio (out connection to the internet is wireless). The Ethernet port of that radio goes into a simple 5 port hub. Both of the snort device interfaces are connected to this hub and so is the firewall that houses the servers that are running on 5.6.7.155/32,5.6.7.156/32,5.6.7.157/32. This will change this weekend when I put them on a Cisco switch and I will be configuring the switch to span all ports that are active on the internet to the port that interface 2 is connected to. Now when I send a Syn scan from nmap on a foreign system (in other words this is for one of out clients and I am running nmap from my office) I eventually registered 1 of the dozen or so scans I sent the way of the snort device. It caught nothing on the scans that I sent to 5.6.7.157. I will post any differences I might see when I move this to the switch. Carlos
I guess I need to better understand the net config to which your interfaceless NIC is attached and the net config where the ACID console is attached. Are you switched? Have you used a tap? How exactly is it that Snort can see all of the traffic? Your snort.conf specifies two net blocks as your HOME_NET (var HOME_NET [1.2.3.190/28,5.6.7.0/24]). Which net block is Snort listening on? Which net block contains the other IP devices you're trying to watch? You also stated "I am now able to see portscans going to the IP address of the snort device", but you also said that the second NIC in the Snort device is interface-less. So what other details can you give us? It sounds like something in the net config is not matching up. - Christopher P.S. As a FYI, Snort understands BFP filters in the same way that WinDump does.
Current thread:
- Help with a config file please? snort (Apr 03)
- <Possible follow-ups>
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 08)