Re: Snort and acid prob!!! Acid not running :(

[patrick () internetsecurityguru com]

Yes, because of your network configuration you will only see alerts
destined for your snort box or broadcast traffic.  This is a function of
your network gear not snort.  You are on unmanaged switches so you can not
set a span or monitor port.  You can use a tap or a hub inline. or get a
managed switch.  If you have a network engineer around they may be able to
help you

Also, you need 192.168.1.0/24 for your HOME_NET not 192.168.1.0/255
Here is a CIDR cheatsheet
http://www.oav.net/mirrors/cidr.html

to understand the difference check out something like
http://www.duxcw.com/faq/network/hubsw.htm



> hi...i installed CIS and tried entered the snort server host
> name....it generated 100 % TCP and 83 alerts.....is that working
> fine....what do i have to do to those alerts? I mean what is the use
> of getting as huge as 83 alerts?? Will they be generated only when
> somebody tries to access my snort box??
>
>
> On Wed, 14 Jul 2004 17:08:35 +0530, Aparna Mangla
> <aparna.mangla () gmail com> wrote:
> > also tell me, in the snort.conf file,
> > i wrote
> > 192.168.1.0/255
> > is it correct? it will check the hosts from 192.168.1.0 to
> > 192.168.1.255 ip addresses?
> >
> > On Wed, 14 Jul 2004 06:14:17 -0500, Patrick S. Harper
> >
> >
> > <patrick () internetsecurityguru com> wrote:
> > > Then you are not going to get what you want.  You will only see
> > broadcast
> > > traffic and traffic destined for that port on the switch.  Try CIS, it
> > works
> > > under windows and is easier if you do not know Nessus.  Read up on the
> > > nature of switch's and you will see what I mean.  You can use a tap to
> > make
> > > it more effective.
> > >
> > > Patrick S. Harper | CISSP RHCT MCSE
> > > www.internetsecurityguru.com
> > >
> > > www.ntsug.org - Snort Users Group
> > >
> > > "If there is no light at the end of the tunnel, get down there and
> > light the
> > > damn thing yourself!"
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Aparna Mangla [mailto:aparna.mangla () gmail com]
> > > Sent: Wednesday, July 14, 2004 6:07 AM
> > > To: Patrick S. Harper
> > > Subject: Re: Snort and acid prob!!! Acid not running :(
> > >
> > > what do you mean by spaning a port? please elaborate.  the switches we
> > use
> > > are self managed switches. they carry no ip addresses. i m trying to
> > figure
> > > out nessus....
> > > Aparna Mangla
> > >
> > > On Wed, 14 Jul 2004 06:06:23 -0500, Patrick S. Harper
> > > <patrick () internetsecurityguru com> wrote:
> > > > You are you on a switch, so due to the nature of switched
> > networking,
> > > > you will only see traffic destined for the switch port the snort box
> > > > is on.  Can you span a port?.  Is it all one vlan or are they
> > > > unmanaged switches?  Did you try scanning it (the IP of the snort
> > box)
> > > > with one of the tools I mentioned?
> > > >
> > > > Patrick S. Harper | CISSP RHCT MCSE
> > > > www.internetsecurityguru.com
> > > >
> > > > www.ntsug.org - Snort Users Group
> > > >
> > > > "If there is no light at the end of the tunnel, get down there and
> > > > light the damn thing yourself!"
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Aparna Mangla [mailto:aparna.mangla () gmail com]
> > > > Sent: Wednesday, July 14, 2004 5:57 AM
> > > > To: Patrick S. Harper
> > > > Subject: Re: Snort and acid prob!!! Acid not running :(
> > > >
> > > > well... we hav one router and 4 switches....i have snort installed
> > on
> > > > my linux box (one among the 50 PCs) and we dont use proxies here.
> > all
> > > > the machines are directly connected.
> > > > hope i gave the right information..
> > > > Now what? :(
> > > > Aparna Mangla
> > > >
> > > > On Wed, 14 Jul 2004 05:52:21 -0500, Patrick S. Harper
> > > > <patrick () internetsecurityguru com> wrote:
> > > > > Where is the IDS placed?  Is it on a switch?  If it is, do you
> > have
> > > > > the sniffing interface on a span port?  Were any of the 471
> > packets
> > > > > something that would trigger an alert?  Nope, because it says
> > ALERTS: 0.
> > > > > Download Nessus (www.nessus.org) or CIS
> > > > > (http://www.cerberus-infosec.co.uk/CIS-5.0.02.zip) and scan the
> > > > > interface on the snort box you are sniffing on to test it first to
> > > > > see if you have a problem with placement. I am betting you are on
> > a
> > > > > switch and only seeing broadcast traffic.
> > > > >
> > > > > If you can see the ACID interface then it is running, snort is
> > > > > starting so mysql is running, if you have your output line correct
> > > > > in your snort.conf and your acid_conf.php database lines correct
> > > > > then it is just a matter of your box not seeing any traffic.
> > Where
> > > > > exactly do you have this placed in relation to your 50 PC's?
> > > > >
> > > > > Hope this helps
> > > > >
> > > > > Patrick S. Harper | CISSP RHCT MCSE
> > > > > www.internetsecurityguru.com
> > > > >
> > > > > www.ntsug.org - Snort Users Group
> > > > >
> > > > > "If there is no light at the end of the tunnel, get down there and
> > > > > light the damn thing yourself!"
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Aparna Mangla [mailto:aparna.mangla () gmail com]
> > > > > Sent: Wednesday, July 14, 2004 5:12 AM
> > > > > To: Patrick S. Harper; nwoliver () internetsecurityguru com;
> > > > > snort-users () lists sourceforge net
> > > > > Subject: Snort and acid prob!!! Acid not running :(
> > > > >
> > > > > hi
> > > > > plz help me urgently.
> > > > >
> > > > > I have installed snort-2.0.2 with acid 0.9.6b23 on redhat 9. I
> > think
> > > > > i followed all the steps correctly. and when i run :
> > > > > snort -c /etc/snort/snort.conf
> > > > > i get the following output at the end:
> > > > >
> > > > > ====================================================================
> > > > > ==
> > > > > ======
> > > > > ===
> > > > > Snort analyzed 471 out of 471 packets, dropping 0(0.000%) packets
> > > > >
> > > > > Breakdown by protocol:                Action Stats:
> > > > >     TCP: 29         (6.157%)          ALERTS: 0
> > > > >     UDP: 208        (44.161%)         LOGGED: 0
> > > > >    ICMP: 89         (18.896%)         PASSED: 0
> > > > >     ARP: 90         (19.108%)
> > > > >   EAPOL: 0          (0.000%)
> > > > >    IPv6: 0          (0.000%)
> > > > >     IPX: 0          (0.000%)
> > > > >   OTHER: 55         (11.677%)
> > > > > DISCARD: 0          (0.000%)
> > > > > ====================================================================
> > > > > ==
> > > > > ======
> > > > > ===
> > > > > Wireless Stats:
> > > > > Breakdown by type:
> > > > >     Management Packets: 0          (0.000%)
> > > > >     Control Packets:    0          (0.000%)
> > > > >     Data Packets:       0          (0.000%)
> > > > > ====================================================================
> > > > > ==
> > > > > ======
> > > > > ===
> > > > > Fragmentation Stats:
> > > > > Fragmented IP Packets: 0          (0.000%)
> > > > >     Fragment Trackers: 0
> > > > >    Rebuilt IP Packets: 0
> > > > >    Frag elements used: 0
> > > > > Discarded(incomplete): 0
> > > > >    Discarded(timeout): 0
> > > > >   Frag2 memory faults: 0
> > > > > ====================================================================
> > > > > ==
> > > > > ======
> > > > > ===
> > > > > TCP Stream Reassembly Stats:
> > > > >         TCP Packets Used: 29         (6.157%)
> > > > >          Stream Trackers: 9
> > > > >           Stream flushes: 0
> > > > >            Segments used: 0
> > > > >    Stream4 Memory Faults: 0
> > > > > ====================================================================
> > > > > ==
> > > > > ======
> > > > > ===
> > > > > database: Closing connection to database "snort"
> > > > > Snort exiting
> > > > >
> > > > > Now...when i start the httpd interface, i get 0 alerts, 0 sensors,
> > 0
> > > > > % UDP, 0% TCP.....as though it is inactive.
> > > > > I am connected on LAN of 50 PCs.
> > > > > Please tell me how to correct it.
> > > > > Hoping for an urgent reply.
> > > > > Thanking you
> > > > > Aparna Mangla
> > > > >
> > > > > ---
> > > > > Incoming mail is certified Virus Free.
> > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > > > Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
> > > > >
> > > > > ---
> > > > > Outgoing mail is certified Virus Free.
> > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > > > Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
> > > >
> > > > ---
> > > > Incoming mail is certified Virus Free.
> > > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > > Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
> > > >
> > > > ---
> > > > Outgoing mail is certified Virus Free.
> > > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > > Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
> > >
> > > ---
> > > Incoming mail is certified Virus Free.
> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
> > >
> > > ---
> > > Outgoing mail is certified Virus Free.
> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users