Snort mailing list archives
RE: (no subject)
From: "Kaplan, Andrew H." <AHKAPLAN () PARTNERS ORG>
Date: Wed, 5 Nov 2003 13:02:32 -0500
Hi J. Regarding you question about the snort sensor, currently I have only one sensor and that is the actual Snort server itself monitoring traffic. I approached the webmaster about possibly installing the program on the webserver, but he wanted to adopt a wait and see attitude before having the program installed. I went ahead with re-ordering the Pass and Alert Rules sections of the policy-based file to experiment. Snort appears to be working well with the new order. As a further test, I configured all internal network traffic under the Pass rules, and commented out the Alert rules. The only alerts I am seeing are from machines on the internal network. -----Original Message----- From: J. [mailto:jeruvy () shaw ca] Sent: Tuesday, November 04, 2003 9:34 AM To: Kaplan, Andrew H. Subject: RE: [Snort-users] (no subject) Your welcome. Responses if any inline...
-----Original Message----- From: Kaplan, Andrew H. [mailto:AHKAPLAN () PARTNERS ORG] Sent: Wednesday, November 05, 2003 6:30 AM To: 'J.' Cc: 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] (no subject) J. Thanks for your reply. As to the policy-based.rules file, mine is based on the template found in the Snort 2.0 Intrusion Detection book. The approach it uses has the alert lines at
May I recommend "Network Intrution Detection: AN Analysts Handbook" this is a great 'why should I get snort to do this' material....where your book is a great 'how to setup and get running'.
the beginning part of the file, with the pass rules following. According to the book, it is appropriate to have the alerts first, with the pass rules second. However, I will try your approach, and place the pass rules before the alerts and see where that gets me.
Yes there is even a facility within snort to change the 'order' your rules are used, so you don't have to change your rules definitions. Again snort doesn't like changes to the rules, so its better to use this method than the one you suggest. This way rule updates also don't 'change' the method of order accidently.
The server in question is "outside" the firewall such that traffic going to its port, 80, goes through a "hole" in the wall. There are switches interposed between the server and the router. I can contact our network security team to get more information.
Great place to watch snort, and to deal with huge amounts of traffic. I use 3 sensors, 2 inside subnets for monitoring traffic within, and one outside like yours watching external port allowed traffic only. Now do I understand you have a snort sensor on your web server? Keep in mind your hardware is going to be needed to be monitored to ensure you don't run out of steam on that box. Keep in mind snort generally cannot see across ports on a switch, so if you have two servers for instance a mail and a web you would probably need two sensors to see both sets of traffic.
In response to your inquiry, I am using the book that I mentioned earlier. However, I am also planning on purchasing an additional book. My experience with this one has been mixed. I have tried to use it as much as possible, but I have already contacted the publisher about one mistake that I discovered. If the rules file approach you suggested does work, I shall be contacting the publisher again. I am hoping to get ano- ther book and be able to RTFM.
Yes there are better books out there than that one, but its still good get up and running material. There is many suggestions, I would recommend doing a search on amazon.com (even if you buy elsewhere) to find some books. Also the faq/archives suggest some great books also.
Thanks again for you suggestions, and I will keep you up to date.
Happy snorting! J.
-----Original Message----- From: J. [mailto:jeruvy () shaw ca] Sent: Tuesday, November 04, 2003 9:24 AM To: Kaplan, Andrew H. Subject: RE: [Snort-users] (no subject) Are you sure your rule order is the way you want it? Most pass rules by default are looked at last, hence you would be seeing this behaviour. As for not seeing alerts from the internet, I'd say good great, but I realize you may want to look at this traffic....so what hardware are you using for your WAN access? (I also hate to say this, but have you actually read the documentation? These issues have been discussed and hashed so many times over the years I am so bored with discussing them. As well there are some great books on the subject...) Note hubs work, switches don't for a rule of thumb. There are other solutions but RTFM. J.-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Kaplan, Andrew H. Sent: Tuesday, November 04, 2003 6:10 AM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] (no subject) When writing the policy-based.rules file I had as my first lines several lines that read as follows: alert ip any any -> [any,10.10.0.0/24] any alert tcp any any -> [any,10.10.0.0/24] any alert udp any any -> [any,10.10.0.0/24] any While these lines were uncommented, I would get an enormous amount of alerts from the 10.10.0.0 subnet even though subsequent pass rules told snort to let pass any and all ip, tcp, and udp traffic on any port. Once I commented out the lines, the alerts dropped down to 0. Do I need any alert rules at the beginning of the policy-based.rules file to specify what subnets, in this case any subnet excluding the 10.10.0.0 subnet, snort should alert me on? If so, what is the correct syntax? I did include the -o option in the command syntax. FYI syntaxas follows:/usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -o The location of the policy-based.rules file is /etc/snort Also, I do not seem to be getting any alerts from traffic coming in from the Internet. Is that normal? ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) Kristian Schling (Oct 08)
- Re: (no subject) Ralf Spenneberg (Oct 09)
- <Possible follow-ups>
- (no subject) Dave . Hartley (Oct 15)
- (no subject) Cluett, Russell (Oct 22)
- (no subject) Bob Apthorpe (Oct 28)
- (no subject) Kaplan, Andrew H. (Nov 04)
- Re: (no subject) Olaf Schreck (Nov 04)
- RE: (no subject) Kaplan, Andrew H. (Nov 05)
- RE: (no subject) Kaplan, Andrew H. (Nov 05)
- (no subject) CGhercoias (Dec 01)
- Message not available
- Re: (no subject) Matt Kettler (Dec 01)
- Message not available
- Re: (no subject) Jim Brown (Dec 01)
- (no subject) wfz (Dec 05)
- (no subject) Andrew Sergeyev (Dec 12)
- (no subject) Russell Fulton (Dec 12)
- (no subject) JP Vossen (Dec 19)
- (no subject) Kumar, Manoj (Dec 22)