Snort mailing list archives

RE: Snort Newbie

From: "Neal Timm" <ntimm () austin rr com>
Date: Sun, 16 Sep 2001 03:50:52 -0500

You external variable should basically be any which means any traffic coming
in.  the internal should be whatever ip interface snort is listening on.
The log makes sense you just have to have a good understanding of tcp/ip
headers check out http://www.invaultech.com/papers/basic-hex.html this
alarms is from ip 66.31.138.68 port # 1198 going to 66.31.82.9:80 the ttl is
124 which basically is a windows box about 4 hops away the ack flag is set.
You can look at you rules and see how this alarm was triggered.  In short
this is a code red alarm.
  -----Original Message-----
  From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jason Withrow
  Sent: Sunday, September 16, 2001 02:00 AM
  To: snort-users () lists sourceforge net
  Subject: PS: [Snort-users] Snort Newbie


  Ok, I think that is the problem, I need to define the IP's as External and
Internal.



  I am guessing (Don't laugh, I am pretty new at this) that the $EXTERNAL
var should be my global internet NIC IP and $INTERNAL should be my intranet
192.168.x.x NIC?



  Also, how does one make any sense out of the packets? This looks pretty
Greek to me.



  [**] IDS552/web-iis_IIS ISAPI Overflow ida [**]

  09/16-02:55:00.611575 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800
len:0x5EA

  66.31.138.68:1198 -> 66.31.82.9:80 TCP TTL:124 TOS:0x0 ID:51642 IpLen:20
DgmLen:1500 DF

  ***A**** Seq: 0xF79A6595  Ack: 0xF0C2A391  Win: 0x4470  TcpLen: 20

  =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



  - J



  -----Original Message-----
  From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jason Withrow
  Sent: Sunday, September 16, 2001 2:52 AM
  To: snort-users () lists sourceforge net
  Subject: [Snort-users] Snort Newbie



  Hi,  I just installed the 1.8 win32 build of Snort on a win2k Server.



  I have having a difficult time getting the rule sets to work.



  I think, that I don't have the rules set up properly.

  Do I need to define $INTERNAL and $EXTERNAL as ip/ports somewhere?



  This is just for my home box.



  Here is the sample rule I am trying to get to work.



  alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS552/web-iis_IIS ISAPI
Overflow ida"; dsize: >239; flags: A+; uricontent: ".ida?"; classtype:
system-or-info-attempt; reference: arachnids,552;)



  Thanks for any help, it is greatly appreciated.



  - Jwatch

Current thread:

Snort Newbie Jason Withrow (Sep 15)
- PS: Snort Newbie Jason Withrow (Sep 15)
  - RE: Snort Newbie Neal Timm (Sep 16)
  - Re: PS: Snort Newbie John Sage (Sep 16)