Snort mailing list archives

RE: (no subject)

From: "Harper, Patrick" <patrick.harper () phns com>
Date: Fri, 9 Jul 2004 14:47:15 -0500
They have several spyware (and other) rules at www.bleedingsnort.com


-----Original Message-----
From: Turnquist,Wayne [mailto:WayneTurnquist () catholichealth net] 
Sent: Friday, July 09, 2004 2:14 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] (no subject)

To give some details, we connect to the internet by connecting to the corp. data center along with a bunch of other 
hospitals. Since security is becoming more of a problem because of all the Viruses/Trojan horses, I decided we need to 
tighten our side up even tho corp. has firewalls and other security process.

So I want to get snort up and running and to watch for the basic attacks. I don't what to have to constantly twitch the 
rules because I don't have much time since  I'm a one man shop hear at the hospital. Would the standard rules and the 
options for the rules that come with the installation of snort be good enough or should I turn on some other rules that 
are disabled in the standard install.

right now I have the router to corp---->hub---->switch, where I have snort and ntop installed in the hub on 2 different 
pc's

I have a windows 2000 pro with all the updates I installed snort 2.1.3 and winpcap 3.0

on another win2000 pro I have kiwi syslog running

I'm using the installed rules and conf except for the following changes to the installed conf

var HOME_NET[10.110.96.0/24,10.110.97.0/24,10.110.99.0/24,10.110.100.0/23,10.110.102.0/24,10.110.106.0/24,10.1.1.0/24]

var DNS_SERVERS [10.110.101.231/32,10.110.101.233/32]
var SMTP_SERVERS [10.110.101.233/32]
var SNMP_SERVERS [10.110.99.2/32,10.110.99.4/32] var RULE_PATH d:\ids\snort\rules output log_tcpdump: tcpdump.log 
output alert_syslog: host=10.110.99.4:514, LOG_AUTH LOG_ALERT


I issue the following command at the d:\ids\snor\bin dir snort -c "d:\ids\snort\etc\snort.conf" -l d:\ids\snort\log -i 
1 -d not host 10.250.24.25

it does create the alert.ids and the tcpdump file.
but I'm not getting any syslog msg to the machine running kiwi syslog. I do have another device on the network sending 
msys to the syslog. so I know it can receive msg's

1)what is going wrong
2)assuming I get this to work, can I have syslog msg's sent to 2 different pc at the same time
--------------------------------------------------------------

The next question.

I want to get up and running quickly.  In case of point the not host 10.250.24.25 is a solarwinds at the main corp. 
data center monitoring some equipment in our network.  This seems to work but there is other equipment at corp. that I 
trust and for now I would like to trust fully and be more restrictive on these machine in the future. So my question 
is, how can I add, lets say 5 devices from corp. from not generating alerts?

do I create file lets say it is called ty.txt not host x not host y not host z not host g not host k

then use the following
snort -c "d:\ids\snort\etc\snort.conf" -l d:\ids\snort\log -I 1 -d -f  "c:\ty.txt"

if this is not correct, can some one tell me how to do it correctly


Another issue I noticed while playing around, is that my SNMP severs are generating alerts when they probe the router 
which is 10.110.101.254 even tho I used the var to declare my snmp pc's. Do I need to added this ip number to the not 
host file as state above. If not, what am I'm doing wrong


thank you
wt










-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor 
pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listžort-users





Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended 
recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by 
applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have 
received this message in error, please delete it and notify the sender immediately. 





-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

(no subject) Turnquist,Wayne (Jul 09)
- <Possible follow-ups>
- RE: (no subject) Harper, Patrick (Jul 09)
- (no subject) Kenneth Trimmmer (Aug 02)
- (no subject) May Yu (Sep 13)
- RE: (no subject) Esler, Joel - Contractor (Sep 13)
- (no subject) Peter Osterberg (Sep 29)
  - Re: (no subject) Martin Roesch (Sep 29)
    - Re: (no subject) Peter Osterberg (Sep 29)