Snort mailing list archives
Re: Question about !HOME_NET
From: "Nick Baronian" <kvetch () gmail com>
Date: Wed, 11 Oct 2006 15:50:47 -0400
I think my rule is right but for some reason it doesn't create an alert file and it is logging every packet. Local.rules is the only rule and that is alert ip !$HOME_NET any -> $EXTERNAL_NET any (msg:"External IP detected";) My snort.conf looks like var HOME_NET [172.0.0.0/8,10.0.0.0/8,192.168.0.0/16] var EXTERNAL_NET !$HOME_NET var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /etc/snort/rules dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes preprocessor smtp: \ ports { 25 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } preprocessor dns: \ ports { 53 } \ enable_rdata_overflow ruletype holycrap { type alert output alert_syslog: LOG_AUTH LOG_ALERT } include classification.config include reference.config include $RULE_PATH/local.rules I am starting snort by using the following - # snort -e -i eth1 -l /var/log/snort -D -s -k none & I tossed the -k in there because I ran across that phantom pcap chksum bug thingie last week when playing around with Snort on Fedora and this is a RHWS4 box. As soon as I start Snort it starts writing a snort.log and no alert file. The snort.log quickly becomes huge and appears to be logging everything. It contains stuff like 15:18:28.420291 IP 172.30.19.40.4089 > 64.86.105.230.rtsp: tcp 0 15:18:28.420301 IP 64.86.105.235.rtsp > 172.30.19.40.4089: tcp 1380 15:18:28.420322 IP 10.20.7.18.3624 > 68.178.236.24.http: tcp 0 15:18:28.420331 IP 172.30.19.40.4089 > 64.86.105.230.rtsp: tcp 0 15:18:28.420340 IP 10.20.208.28.4641 > 64.86.105.230.http: tcp 0 15:18:28.420349 IP 10.20.7.18.3624 > 68.178.236.24.http: tcp 0 15:18:28.420415 IP 172.16.25.27.syslog > 172.16.15.17.syslog: UDP, length 78 If my rule is right, the snort.log shouldn't have any of the 172.30/16's, nor any 10.20.x.x addresses in it, right? Does anyone see what I am doing wrong? Thanks, Nick ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question about !HOME_NET Nick Baronian (Oct 11)
- Re: Question about !HOME_NET M. Shirk (Oct 11)
- Re: Question about !HOME_NET Joel Esler (Oct 11)
- Re: Question about !HOME_NET Nick Baronian (Oct 11)
- Re: Question about !HOME_NET Nick Baronian (Oct 11)
- Re: Question about !HOME_NET Todd Wease (Oct 11)
- Re: Question about !HOME_NET M. Shirk (Oct 11)