Snort mailing list archives
Re: Noob
From: Tim Slighter <tslighter () itc nrcs usda gov>
Date: Wed, 22 Dec 2004 11:19:44 -0700
The first best step is to fine tune your HOME_NET and EXTERNAL_NET variables. Once you have those in place, you might want to start customizing your rules. As for SNMP alerts, you may have to write a custom rule that will not alert for that printer.
(Original)alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:13;)
This rule could be customized to not alert for a particular host or netalert tcp $EXTERNAL_NET any -> !192.168.1.192 161 (msg:"SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:13;)
alert tcp $EXTERNAL_NET any -> !192.168.1.0/24 161 (msg:"SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:13;)
Work with the EXTERNAL_NET variable if the source IP is the cause of the surplus of alerts.
Hopefully that gives you an idea of where to start. Brian Stamper wrote:
Well I'm new to snort but so far I have the following: Snort logging to a mysql database w/ Apache2+PHP running acid. Also have the Webmin snort module up and running. Here is my problem. Currently out of the box snort is running on a network of roughly 300+ machines. ITS UGLY!! I am getting info everywhere. Like 40 or 50+ alerts a minute. Things from public SNMP stuff to dropped ICMP packets. Does anyone have any pointers on where to start to get this to be useful rather than overwhelming? I've researched some of it and it seems that the print server we have poll's the printers w/ this SNMP public broadcast every time something gets printed. I'm at a loss in hope that my network isn't really this messed up!! Are there any docs that explain what is/isn't needed for rules and what to setup from scratch? All of this and I'm still on a switched network...no monitoring port or nothing. All I see is what comes and goes from this machine and the network broadcasts basically. Currently running snort 2.2.0 on Gentoo Linux. Thanks, Brian ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Noob Brian Stamper (Dec 22)
- Re: Noob Tim Slighter (Dec 22)
- <Possible follow-ups>
- Re: Noob Brian Stamper (Dec 23)
- RE: Re: Noob Bob Konigsberg (Dec 23)
- Re: Re: Noob Brian Caswell (Dec 24)
- RE: Re: Noob Brian Stamper (Dec 23)
- RE: Re: Noob Bob Konigsberg (Dec 23)
- Re: Re: Noob J-H Johansen (Dec 23)
- RE: Re: Noob Bob Konigsberg (Dec 23)
- RE: Re: Noob Brian Stamper (Dec 23)
- RE: Re: Noob Frank Knobbe (Dec 23)
- RE: Re: Noob Brian Stamper (Dec 23)