Snort mailing list archives
Re: Inline logging?
From: Will Metcalf <william.metcalf () gmail com>
Date: Mon, 17 Jan 2005 14:06:01 -0600
So what exactly is your question? Regards, Will On Mon, 17 Jan 2005 14:47:50 -0500, mdpeters <michael.peters () lazarusalliance com> wrote:
I have finally gotten Snort-Inline to pass traffic through a transparent bridge on Fedora Core 2, kernel vmlinuz-2.6.10-1.9_FC2smp. I am running a nessus scan from one side of the bridge to another host on the other side of the bridge. I have these rules that I think should log everything passing through: alert tcp $IPS_INGRESS any <> $EXTERNAL_NET any (msg: "test tcp inbound connections";) alert udp $IPS_INGRESS any <> $EXTERNAL_NET any (msg: "test udp inbound connections";) alert icmp $IPS_INGRESS any <> $EXTERNAL_NET any (msg: "test icmp inbound connections";) # alert tcp $IPS_EGRESS any <> $EXTERNAL_NET any (msg: "test tcp outbound connections";) alert udp $IPS_EGRESS any <> $EXTERNAL_NET any (msg: "test udp outbound connections";) alert icmp $IPS_EGRESS any <> $EXTERNAL_NET any (msg: "test icmp outbound connections";) var IPS_INGRESS 67.14.155.128/27 var IPS_EGRESS 67.14.155.128/27 var EXTERNAL_NET any var SMTP_SERVERS any var TELNET_SERVERS any var HTTP_SERVERS any var SQL_SERVERS any var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 config checksum_mode: none var RULE_PATH /opt/snort-inline/rules/ips config layer2resets: 00:04:23:AD:ED:BA preprocessor flow: stats_interval 0 hash 2 preprocessor stream4: disable_evasion_alerts,iptablesnewmark,iptablesestmark,forceiptstate preprocessor stream4_reassemble: both # preprocessor clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode output alert_full: snort-inline-full output alert_fast: snort-inline-fast output alert_syslog: LOG_AUTH LOG_ALERT output database: alert, mysql, user=username password=password dbname=snort host=localhost sensor_name=IPS output log_tcpdump: tcpdump.log include ips-classification.config include ips-reference.config include $RULE_PATH/ips.rules I have regular Snort logging just fine. Does anyone have any ideas? -- Best regards, Michael
------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Inline logging? mdpeters (Jan 18)
- Re: Inline logging? Will Metcalf (Jan 18)