Snort mailing list archives
Re: Snort on an OpenBSD firewall
From: Dragos Ruiu <dr () kyx net>
Date: Mon, 28 Jun 2004 15:56:14 -0700
Is pf running? cheers, --dr On June 28, 2004 12:29 pm, Sean Brown wrote:
I'm new to snort, and trying to get it running on my OpenBSD 3.5 firewall, but its just not working right. If i read the documentation right, i should be able to have snort listen on pflog0 and just cpture and watch the traffic thats regected by my firewall, which is handy because snort isn't then logging all the arp traffic that shows up on the line. When I launch snort with /usr/local/bin/snort -c /etc/snort/snort.conf -i pflog0 -d Nothing happenes and after ctrl-d i get this: Snort analyzed 212 out of 212 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 0 (0.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 212 (100.000%) DISCARD: 0 (0.000%) But if I call it on my external interface I get a lot more: Snort analyzed 275 out of 275 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 198 (72.000%) ALERTS: 198 UDP: 1 (0.364%) LOGGED: 198 ICMP: 0 (0.000%) PASSED: 0 ARP: 74 (26.909%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) Now even to get that i had to add a TCP catchall which just fills the database with noise, but thats another problem, it wouldn't even register a port scan.. Why when I listen on pflog0 does it classify everything as 'Other' and just ignore it all. I can sit with TCP dump and watch it all on pflog0 Any help is appreciated -Sean Brown #Snort Config file var HOME_NET 192.168.1.0/26 var EXTERNAL_NET any var DNS_SERVERS [192.168.1.2,192.168.1.4] var SQL_SERVERS 192.168.1.2 var TELNET_SERVERS 192.168.1.10 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12 var HTTP_SERVERS $HOME_NET var HTTP_PORTS 80 var SNMP_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var RULE_PATH ./rules config detection: search-method lowmem preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble #preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace # OUTPUT DATABASE output database: log,mysql,dbname=snort user=snorter host=192.168.1.2 port=3306 sensor_name=SPARTA_FW_01 # # Include classification & priority settings # include $RULE_PATH/classification.config # # Include reference systems # include $RULE_PATH/reference.config # RULES include $RULE_PATH/bad-traffic.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/snmp.rules include $RULE_PATH/exploit.rules include $RULE_PATH/x11.rules include $RULE_PATH/mysql.rules include $RULE_PATH/misc.rules include /home/sean/test.rules test rules just has this: alert tcp any any -> any any (msg:"TCP traffic";) ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan Nov 11-12 2004 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on an OpenBSD firewall Sean Brown (Jun 28)
- Re: Snort on an OpenBSD firewall Dragos Ruiu (Jun 28)
- Re: Snort on an OpenBSD firewall Sean Brown (Jun 28)
- Re: Snort on an OpenBSD firewall Matt Kettler (Jun 28)
- Re: Snort on an OpenBSD firewall Sean Brown (Jun 28)
- Re: Snort on an OpenBSD firewall Dragos Ruiu (Jun 28)