Snort mailing list archives

RE: (no subject)

From: "Kaplan, Andrew H." <AHKAPLAN () PARTNERS ORG>
Date: Wed, 5 Nov 2003 13:02:32 -0500

Hi J.

Regarding you question about the snort sensor, currently I have only one sensor
and that
is the actual Snort server itself monitoring traffic. I approached the webmaster
about
possibly installing the program on the webserver, but he wanted to adopt a wait
and see
attitude before having the program installed. 

I went ahead with re-ordering the Pass and Alert Rules sections of the
policy-based file
to experiment. Snort appears to be working well with the new order. As a further
test, I
configured all internal network traffic under the Pass rules, and commented out
the Alert
rules. The only alerts I am seeing are from machines on the internal network. 

-----Original Message-----
From: J. [mailto:jeruvy () shaw ca]
Sent: Tuesday, November 04, 2003 9:34 AM
To: Kaplan, Andrew H.
Subject: RE: [Snort-users] (no subject)


Your welcome.  Responses if any inline...

-----Original Message-----
From: Kaplan, Andrew H. [mailto:AHKAPLAN () PARTNERS ORG]
Sent: Wednesday, November 05, 2003 6:30 AM
To: 'J.'
Cc: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] (no subject)

J.

Thanks for your reply. As to the policy-based.rules file, mine is
based on the
template found in the
Snort 2.0 Intrusion Detection book. The approach it uses has the
alert lines at


May I recommend "Network Intrution Detection: AN Analysts Handbook" this is
a great 'why should I get snort to do this' material....where your book is a
great 'how to setup and get running'.

the beginning part of
the file, with the pass rules following. According to the book, it is
appropriate to have the alerts
first, with the pass rules second. However, I will try your
approach, and place
the pass rules before
the alerts and see where that gets me.


Yes there is even a facility within snort to change the 'order' your rules
are used, so you don't have to change your rules definitions.  Again snort
doesn't like changes to the rules, so its better to use this method than the
one you suggest.  This way rule updates also don't 'change' the method of
order accidently.

The server in question is "outside" the firewall such that
traffic going to its
port, 80, goes through
a "hole" in the wall. There are switches interposed between the
server and the
router. I can contact our
network security team to get more information.


Great place to watch snort, and to deal with huge amounts of traffic.  I use
3 sensors, 2 inside subnets for monitoring traffic within, and one outside
like yours watching external port allowed traffic only.

Now do I understand you have a snort sensor on your web server?  Keep in
mind your hardware is going to be needed to be monitored to ensure you don't
run out of steam on that box.  Keep in mind snort generally cannot see
across ports on a switch, so if you have two servers for instance a mail and
a web you would probably need two sensors to see both sets of traffic.

In response to your inquiry, I am using the book that I mentioned earlier.
However, I am also planning on
purchasing an additional book. My experience with this one has
been mixed. I
have tried to use it as much
as possible, but I have already contacted the publisher about one
mistake that I
discovered. If the rules
file approach you suggested does work, I shall be contacting the publisher
again. I am hoping to get ano-
ther book and be able to RTFM.


Yes there are better books out there than that one, but its still good get
up and running material.
There is many suggestions, I would recommend doing a search on amazon.com
(even if you buy elsewhere) to find some books.  Also the faq/archives
suggest some great books also.

Thanks again for you suggestions, and I will keep you up to date.


Happy snorting!

J.

-----Original Message-----
From: J. [mailto:jeruvy () shaw ca]
Sent: Tuesday, November 04, 2003 9:24 AM
To: Kaplan, Andrew H.
Subject: RE: [Snort-users] (no subject)

Are you sure your rule order is the way you want it?

Most pass rules by default are looked at last, hence you would be seeing
this behaviour.

As for not seeing alerts from the internet, I'd say good great, but I
realize you may want to look at this traffic....so what hardware are you
using for your WAN access?

(I also hate to say this, but have you actually read the documentation?
These issues have been discussed and hashed so many times over the years I
am so bored with discussing them.  As well there are some great
books on the
subject...)

Note hubs work, switches don't for a rule of thumb.  There are other
solutions but RTFM.

J.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Kaplan,
Andrew H.
Sent: Tuesday, November 04, 2003 6:10 AM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] (no subject)

When writing the policy-based.rules file I had as my first lines
several lines
that read as follows:

alert ip any any -> [any,10.10.0.0/24] any
alert tcp any any -> [any,10.10.0.0/24] any
alert udp any any -> [any,10.10.0.0/24] any

While these lines were uncommented, I would get an enormous
amount of alerts
from the 10.10.0.0 subnet even though subsequent pass rules told
snort to let
pass any and all ip, tcp, and udp traffic on any port. Once I
commented out the
lines, the alerts dropped down to 0.

Do I need any alert rules at the beginning of the
policy-based.rules file to
specify what subnets, in this case any subnet excluding the
10.10.0.0 subnet,
snort should alert me on? If so, what is the correct syntax?

I did include the -o option in the command syntax. FYI syntax

as follows:

    /usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -o

The location of the policy-based.rules file is /etc/snort

Also, I do not seem to be getting any alerts from traffic coming
in from the
Internet. Is that normal?


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) Kristian Schling (Oct 08)
- Re: (no subject) Ralf Spenneberg (Oct 09)
- <Possible follow-ups>
- (no subject) Dave . Hartley (Oct 15)
- (no subject) Cluett, Russell (Oct 22)
- (no subject) Bob Apthorpe (Oct 28)
- (no subject) Kaplan, Andrew H. (Nov 04)
  - Re: (no subject) Olaf Schreck (Nov 04)
- RE: (no subject) Kaplan, Andrew H. (Nov 05)
- RE: (no subject) Kaplan, Andrew H. (Nov 05)
- (no subject) CGhercoias (Dec 01)
  - Message not available
    - Re: (no subject) Matt Kettler (Dec 01)
  - Re: (no subject) Jim Brown (Dec 01)
- (no subject) wfz (Dec 05)
- (no subject) Andrew Sergeyev (Dec 12)
- (no subject) Russell Fulton (Dec 12)
- (no subject) JP Vossen (Dec 19)
- (no subject) Kumar, Manoj (Dec 22)