Snort mailing list archives
Re: Still trying to build this box
From: Jim Turner <JTurner () hilltopconsultants com>
Date: Tue, 12 Mar 2013 15:31:25 -0400
Assuming I have Snort working properly on this Windows 7 box, how do I connect it to he network? I have the box configured as 192.168.x.81. Do I need to use a mirrored port on my network switch? Sent from my iPhone On Mar 12, 2013, at 12:54 PM, "waldo kitty" <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote: On 3/12/2013 10:55, Jim Turner wrote:
Hello Waldo Kitty, I watched a youtube video where the guy was able to test his logging by pinging websites.
okay...
Is this no longer an activity that can be logged?
it can be if you have rules for such traffic and they are enabled as well as looking on the proper interface...
I suspect that I have successfully installed Snort. I would like to know if it is working before I deploy the box on a network. Is there any way to verify that everything is working perfectly?
not everything but... ;) what some blogs and helpers recommend is to create a local.rules file and then create a rule in there that will alert on everything... make sure that local.rules is included in your snort.conf and that it is with your other rules files with the proper permissions... then restart snort... the "catch everything" rules would be something like these... alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; sid:1; rev:1;) alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; sid:2; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; sid:3; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; sid:4; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; sid:5; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; sid:6; rev:1;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; sid:7; rev:1;) alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; sid:8; rev:1;) "any" used to be allowed as a protocol but when i tested it just now with snort 2.9.3.1, it didn't like it at all... you'll want to disable these as soon as possible and restart snort ;)
*From:*waldo kitty [mailto:wkitty42 () windstream net] *Sent:* Tuesday, March 12, 2013 11:51 AM *To:* snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> *Subject:* Re: [Snort-users] Still trying to build this box On 3/12/2013 09:03, Jim Turner wrote:I have made progress since last night. Snort is now starting and not erroring on the rules. I accomplished this by uninstalling and starting all over again. Now I am just unable to log any of the data.what are you expecting to log? snort will only log traffic that creates alerts... regular/normal traffic should not create alerts... it only ran for 90 seconds...
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ________________________________
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Still trying to build this box Jim Turner (Mar 12)
- Re: Still trying to build this box James Lay (Mar 12)
- Re: Still trying to build this box Jim Turner (Mar 12)
- Re: Still trying to build this box waldo kitty (Mar 12)
- Re: Still trying to build this box Jim Turner (Mar 12)
- Re: Still trying to build this box waldo kitty (Mar 12)
- Re: Still trying to build this box Jim Turner (Mar 12)
- Re: Still trying to build this box Jim Turner (Mar 12)
- Re: Still trying to build this box James Lay (Mar 12)