Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort alerts

From: Bala Ayres <baayres () sbcglobal net>
Date: Tue, 17 Feb 2004 10:22:24 -0800 (PST)
Hi all,

I am pretty new to snort and trying to get an grip on
how it works.

My set up is a laptop running snort 21 and an
application client connecting to a server. I think i
configured the attached snort.conf to alert and log to
mysql any activity on port 80 (either way) and on
other ports that were listed from netstat -a.

When i start up snort i get a signature, tcphdr etc.
written out on port 80 but as i use the application
nothing gets registered. It is possible my application
is using a different port and i am not montoring that
port, but i'd think if i spanned all ports given by
netstat at that point in time, snort should be able to
pick up activity of my application. I would expect
that all application client related traffic would be
sent to my laptop 

Please find below the "redalert" section of my
snort.conf. Only thing that registers (logged) is App
15.

Appreciate any help.

# x.x.x obviously have valid octets.

var HOME_NET 10.x.x.x/24 
redalert tcp $HOME_NET any -> $EXTERNAL_NET  1222:1222
\
    (msg: "Application 1"; flags:A+;)
redalert tcp $EXTERNAL_NET any -> $HOME_NET  1222:1222
\
    (msg: "App 2"; flags:A+;)

redalert tcp $HOME_NET any -> $EXTERNAL_NET  1221:1221
\
    (msg: "App 3"; flags:A+;)
redalert tcp $EXTERNAL_NET any -> $HOME_NET  1221:1221
\
    (msg: "App 4"; flags:A+;)

redalert tcp $HOME_NET any -> $EXTERNAL_NET  3306:3306
\
    (msg: "App 5"; flags:A+;)
redalert tcp $EXTERNAL_NET any -> $HOME_NET  3306:3306
\
    (msg: "App 6"; flags:A+;)


redalert tcp $HOME_NET any -> $EXTERNAL_NET  1570:1570
\
    (msg: "App 7"; flags:A+;)
redalert tcp $EXTERNAL_NET any -> $HOME_NET  1570:1570
\
    (msg: "App 8"; flags:A+;)


redalert tcp $HOME_NET any -> $EXTERNAL_NET  1615:1615
\
    (msg: "App 9"; flags:A+;)
redalert tcp $EXTERNAL_NET any -> $HOME_NET  1615:1615
\
    (msg: "App 10"; flags:A+;)

    
    redalert tcp $HOME_NET any -> $EXTERNAL_NET 
1474:1474 \
        (msg: "App 11"; flags:A+;)
    redalert tcp $EXTERNAL_NET any -> $HOME_NET 
1474:1474 \
        (msg: "App 12"; flags:A+;)



redalert tcp $HOME_NET any -> $EXTERNAL_NET  23:23 \
    (msg: "App 13"; flags:A+;)
redalert tcp $EXTERNAL_NET any -> $HOME_NET  23:23 \
    (msg: "App 14"; flags:A+;)


redalert tcp $HOME_NET any -> $EXTERNAL_NET  80:80 \
    (msg: "App 15"; flags:A+;)
redalert tcp $EXTERNAL_NET any -> $HOME_NET  80:80 \
    (msg: "App 16"; flags:A+;)


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: