Snort mailing list archives

Re: Still trying to build this box

From: Jim Turner <JTurner () hilltopconsultants com>
Date: Tue, 12 Mar 2013 15:31:25 -0400

Assuming I have Snort working properly on this Windows 7 box, how do I connect it to he network?

I have the box configured as 192.168.x.81.  Do I need to use a mirrored port on my network switch?
Sent from my iPhone

On Mar 12, 2013, at 12:54 PM, "waldo kitty" <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote:

On 3/12/2013 10:55, Jim Turner wrote:

Hello Waldo Kitty,

I watched a youtube video where the guy was able to test his logging by pinging
websites.


okay...

Is this no longer an activity that can be logged?


it can be if you have rules for such traffic and they are enabled as well as
looking on the proper interface...

I suspect that I have successfully installed Snort. I would like to know if it
is working before I deploy the box on a network.

Is there any way to verify that everything is working perfectly?


not everything but... ;)

what some blogs and helpers recommend is to create a local.rules file and then
create a rule in there that will alert on everything... make sure that
local.rules is included in your snort.conf and that it is with your other rules
files with the proper permissions... then restart snort... the "catch
everything" rules would be something like these...


alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound";
sid:1; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound";
sid:2; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; sid:3;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; sid:4;
rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; sid:5;
rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; sid:6;
rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; sid:7;
rev:1;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; sid:8;
rev:1;)


"any" used to be allowed as a protocol but when i tested it just now with snort
2.9.3.1, it didn't like it at all...

you'll want to disable these as soon as possible and restart snort ;)

*From:*waldo kitty [mailto:wkitty42 () windstream net]
*Sent:* Tuesday, March 12, 2013 11:51 AM
*To:* snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
*Subject:* Re: [Snort-users] Still trying to build this box

On 3/12/2013 09:03, Jim Turner wrote:

I have made progress since last night. Snort is now starting and not erroring on
the rules. I accomplished this by uninstalling and starting all over again. Now
I am just unable to log any of the data.


what are you expecting to log? snort will only log traffic that creates
alerts... regular/normal traffic should not create alerts... it only ran for 90
seconds...




------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
________________________________

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Still trying to build this box Jim Turner (Mar 12)
- Re: Still trying to build this box James Lay (Mar 12)
  - Re: Still trying to build this box Jim Turner (Mar 12)
- Re: Still trying to build this box waldo kitty (Mar 12)
  - Re: Still trying to build this box Jim Turner (Mar 12)
    - Re: Still trying to build this box waldo kitty (Mar 12)
    - Re: Still trying to build this box Jim Turner (Mar 12)