Snort mailing list archives
snort alerts
From: Bala Ayres <baayres () sbcglobal net>
Date: Tue, 17 Feb 2004 10:22:24 -0800 (PST)
Hi all, I am pretty new to snort and trying to get an grip on how it works. My set up is a laptop running snort 21 and an application client connecting to a server. I think i configured the attached snort.conf to alert and log to mysql any activity on port 80 (either way) and on other ports that were listed from netstat -a. When i start up snort i get a signature, tcphdr etc. written out on port 80 but as i use the application nothing gets registered. It is possible my application is using a different port and i am not montoring that port, but i'd think if i spanned all ports given by netstat at that point in time, snort should be able to pick up activity of my application. I would expect that all application client related traffic would be sent to my laptop Please find below the "redalert" section of my snort.conf. Only thing that registers (logged) is App 15. Appreciate any help. # x.x.x obviously have valid octets. var HOME_NET 10.x.x.x/24 redalert tcp $HOME_NET any -> $EXTERNAL_NET 1222:1222 \ (msg: "Application 1"; flags:A+;) redalert tcp $EXTERNAL_NET any -> $HOME_NET 1222:1222 \ (msg: "App 2"; flags:A+;) redalert tcp $HOME_NET any -> $EXTERNAL_NET 1221:1221 \ (msg: "App 3"; flags:A+;) redalert tcp $EXTERNAL_NET any -> $HOME_NET 1221:1221 \ (msg: "App 4"; flags:A+;) redalert tcp $HOME_NET any -> $EXTERNAL_NET 3306:3306 \ (msg: "App 5"; flags:A+;) redalert tcp $EXTERNAL_NET any -> $HOME_NET 3306:3306 \ (msg: "App 6"; flags:A+;) redalert tcp $HOME_NET any -> $EXTERNAL_NET 1570:1570 \ (msg: "App 7"; flags:A+;) redalert tcp $EXTERNAL_NET any -> $HOME_NET 1570:1570 \ (msg: "App 8"; flags:A+;) redalert tcp $HOME_NET any -> $EXTERNAL_NET 1615:1615 \ (msg: "App 9"; flags:A+;) redalert tcp $EXTERNAL_NET any -> $HOME_NET 1615:1615 \ (msg: "App 10"; flags:A+;) redalert tcp $HOME_NET any -> $EXTERNAL_NET 1474:1474 \ (msg: "App 11"; flags:A+;) redalert tcp $EXTERNAL_NET any -> $HOME_NET 1474:1474 \ (msg: "App 12"; flags:A+;) redalert tcp $HOME_NET any -> $EXTERNAL_NET 23:23 \ (msg: "App 13"; flags:A+;) redalert tcp $EXTERNAL_NET any -> $HOME_NET 23:23 \ (msg: "App 14"; flags:A+;) redalert tcp $HOME_NET any -> $EXTERNAL_NET 80:80 \ (msg: "App 15"; flags:A+;) redalert tcp $EXTERNAL_NET any -> $HOME_NET 80:80 \ (msg: "App 16"; flags:A+;) ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort alerts Bala Ayres (Feb 17)