Snort mailing list archives
Re: Snort and acid prob!!! Acid not running :(
From: patrick () internetsecurityguru com
Date: Wed, 14 Jul 2004 17:08:34 -0400 (EDT)
Yes, because of your network configuration you will only see alerts destined for your snort box or broadcast traffic. This is a function of your network gear not snort. You are on unmanaged switches so you can not set a span or monitor port. You can use a tap or a hub inline. or get a managed switch. If you have a network engineer around they may be able to help you Also, you need 192.168.1.0/24 for your HOME_NET not 192.168.1.0/255 Here is a CIDR cheatsheet http://www.oav.net/mirrors/cidr.html to understand the difference check out something like http://www.duxcw.com/faq/network/hubsw.htm
hi...i installed CIS and tried entered the snort server host name....it generated 100 % TCP and 83 alerts.....is that working fine....what do i have to do to those alerts? I mean what is the use of getting as huge as 83 alerts?? Will they be generated only when somebody tries to access my snort box?? On Wed, 14 Jul 2004 17:08:35 +0530, Aparna Mangla <aparna.mangla () gmail com> wrote:also tell me, in the snort.conf file, i wrote 192.168.1.0/255 is it correct? it will check the hosts from 192.168.1.0 to 192.168.1.255 ip addresses? On Wed, 14 Jul 2004 06:14:17 -0500, Patrick S. Harper <patrick () internetsecurityguru com> wrote:Then you are not going to get what you want. You will only seebroadcasttraffic and traffic destined for that port on the switch. Try CIS, itworksunder windows and is easier if you do not know Nessus. Read up on the nature of switch's and you will see what I mean. You can use a tap tomakeit more effective. Patrick S. Harper | CISSP RHCT MCSE www.internetsecurityguru.com www.ntsug.org - Snort Users Group "If there is no light at the end of the tunnel, get down there andlight thedamn thing yourself!" -----Original Message----- From: Aparna Mangla [mailto:aparna.mangla () gmail com] Sent: Wednesday, July 14, 2004 6:07 AM To: Patrick S. Harper Subject: Re: Snort and acid prob!!! Acid not running :( what do you mean by spaning a port? please elaborate. the switches weuseare self managed switches. they carry no ip addresses. i m trying tofigureout nessus.... Aparna Mangla On Wed, 14 Jul 2004 06:06:23 -0500, Patrick S. Harper <patrick () internetsecurityguru com> wrote:You are you on a switch, so due to the nature of switchednetworking,you will only see traffic destined for the switch port the snort box is on. Can you span a port?. Is it all one vlan or are they unmanaged switches? Did you try scanning it (the IP of the snortbox)with one of the tools I mentioned? Patrick S. Harper | CISSP RHCT MCSE www.internetsecurityguru.com www.ntsug.org - Snort Users Group "If there is no light at the end of the tunnel, get down there and light the damn thing yourself!" -----Original Message----- From: Aparna Mangla [mailto:aparna.mangla () gmail com] Sent: Wednesday, July 14, 2004 5:57 AM To: Patrick S. Harper Subject: Re: Snort and acid prob!!! Acid not running :( well... we hav one router and 4 switches....i have snort installedonmy linux box (one among the 50 PCs) and we dont use proxies here.allthe machines are directly connected. hope i gave the right information.. Now what? :( Aparna Mangla On Wed, 14 Jul 2004 05:52:21 -0500, Patrick S. Harper <patrick () internetsecurityguru com> wrote:Where is the IDS placed? Is it on a switch? If it is, do youhavethe sniffing interface on a span port? Were any of the 471packetssomething that would trigger an alert? Nope, because it saysALERTS: 0.Download Nessus (www.nessus.org) or CIS (http://www.cerberus-infosec.co.uk/CIS-5.0.02.zip) and scan the interface on the snort box you are sniffing on to test it first to see if you have a problem with placement. I am betting you are onaswitch and only seeing broadcast traffic. If you can see the ACID interface then it is running, snort is starting so mysql is running, if you have your output line correct in your snort.conf and your acid_conf.php database lines correct then it is just a matter of your box not seeing any traffic.Whereexactly do you have this placed in relation to your 50 PC's? Hope this helps Patrick S. Harper | CISSP RHCT MCSE www.internetsecurityguru.com www.ntsug.org - Snort Users Group "If there is no light at the end of the tunnel, get down there and light the damn thing yourself!" -----Original Message----- From: Aparna Mangla [mailto:aparna.mangla () gmail com] Sent: Wednesday, July 14, 2004 5:12 AM To: Patrick S. Harper; nwoliver () internetsecurityguru com; snort-users () lists sourceforge net Subject: Snort and acid prob!!! Acid not running :( hi plz help me urgently. I have installed snort-2.0.2 with acid 0.9.6b23 on redhat 9. Ithinki followed all the steps correctly. and when i run : snort -c /etc/snort/snort.conf i get the following output at the end: ==================================================================== == ====== === Snort analyzed 471 out of 471 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 29 (6.157%) ALERTS: 0 UDP: 208 (44.161%) LOGGED: 0 ICMP: 89 (18.896%) PASSED: 0 ARP: 90 (19.108%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 55 (11.677%) DISCARD: 0 (0.000%) ==================================================================== == ====== === Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) ==================================================================== == ====== === Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 ==================================================================== == ====== === TCP Stream Reassembly Stats: TCP Packets Used: 29 (6.157%) Stream Trackers: 9 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0 ==================================================================== == ====== === database: Closing connection to database "snort" Snort exiting Now...when i start the httpd interface, i get 0 alerts, 0 sensors,0% UDP, 0% TCP.....as though it is inactive. I am connected on LAN of 50 PCs. Please tell me how to correct it. Hoping for an urgent reply. Thanking you Aparna Mangla --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004--- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004--- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort and acid prob!!! Acid not running :( Patrick S. Harper (Jul 14)
- <Possible follow-ups>
- RE: Snort and acid prob!!! Acid not running :( Patrick S. Harper (Jul 14)
- Message not available
- Message not available
- Re: Snort and acid prob!!! Acid not running :( patrick (Jul 14)
- Message not available
- Snort and acid prob!!! Acid not running :( Aparna Mangla (Jul 14)
- RE: Snort and acid prob!!! Acid not running :( Patrick S. Harper (Jul 14)
- RE: Snort and acid prob!!! Acid not running :( Murray, Todd (Jul 14)