Honeypots mailing list archives
Re: GenII Honeynet practical use of Snort/Snort_Inline/Swatch
From: "ravenlord" <ravenlord () hotpop com>
Date: Sat, 28 Jun 2003 11:03:21 -0700
----- Original Message ----- From: "Brent J. Nordquist" <brent () nordist net> To: <honeypots () securityfocus com> Sent: Friday, June 27, 2003 11:02 AM Subject: GenII Honeynet practical use of Snort/Snort_Inline/Swatch
- The GenII paper says "If you are running drop-rules.tgz ruleset, you test by simply by first enabling the default test rule," -- I am using the distributed drop-rules,tgz, but I couldn't find that ruleset. Can someone point me to it? (I added my own that was basically a wildcard, and confirmed that it triggered Snort_Inline.)
I guess you can use the covert script http://www.honeynet.org/papers/honeynet/tools/convert.sh to convert all snort rules to drop rules..
Data Capture: The paper says that Snort is supposed to be used for data capture (both inbound and outbound). - The paper doesn't appear to say anything about how to set up rules that achieve this. I did a telnet in both directions, but neither one was logged. Again, I added a simple "wildcard" rule and was able to get Snort to trigger and log the session. So it looks like the standard Snort rules (which appear to be set up to catch "bad" activity) aren't what you want for capturing *all* activity. What Snort rules do people use?
Snort conf file for capturing all packet http://www.honeynet.org/papers/honeynet/tools/snort.conf look for the line that say *log ip any any <> any any (msg: "Snort Unmatched"; session: printable;)* and if you look into the http://www.honeynet.org/papers/honeynet/tools/snort.sh (snort startup file) snort is invoke using the following command $SNORT -d -D -c /etc/snort/snort.conf -i eth1 -l $DIR/$DATE where the log file is directed to $DIR/$DATE directory.. which is by default is (unlesss you change the $DIR variable) /var/log/honeyd/$DATE So all the packet capture will be stored in that particular directory.. and Snort will still capture all the packet event if you remove all the rules from snort.conf..
Current thread:
- GenII Honeynet practical use of Snort/Snort_Inline/Swatch Brent J. Nordquist (Jun 27)
- Re: GenII Honeynet practical use of Snort/Snort_Inline/Swatch ravenlord (Jun 27)
- Re: GenII Honeynet practical use of Snort/Snort_Inline/Swatch Lance Spitzner (Jun 27)