Snort mailing list archives
RE: Snort Newbie
From: "Neal Timm" <ntimm () austin rr com>
Date: Sun, 16 Sep 2001 03:50:52 -0500
You external variable should basically be any which means any traffic coming in. the internal should be whatever ip interface snort is listening on. The log makes sense you just have to have a good understanding of tcp/ip headers check out http://www.invaultech.com/papers/basic-hex.html this alarms is from ip 66.31.138.68 port # 1198 going to 66.31.82.9:80 the ttl is 124 which basically is a windows box about 4 hops away the ack flag is set. You can look at you rules and see how this alarm was triggered. In short this is a code red alarm. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jason Withrow Sent: Sunday, September 16, 2001 02:00 AM To: snort-users () lists sourceforge net Subject: PS: [Snort-users] Snort Newbie Ok, I think that is the problem, I need to define the IP's as External and Internal. I am guessing (Don't laugh, I am pretty new at this) that the $EXTERNAL var should be my global internet NIC IP and $INTERNAL should be my intranet 192.168.x.x NIC? Also, how does one make any sense out of the packets? This looks pretty Greek to me. [**] IDS552/web-iis_IIS ISAPI Overflow ida [**] 09/16-02:55:00.611575 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800 len:0x5EA 66.31.138.68:1198 -> 66.31.82.9:80 TCP TTL:124 TOS:0x0 ID:51642 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xF79A6595 Ack: 0xF0C2A391 Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ - J -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jason Withrow Sent: Sunday, September 16, 2001 2:52 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort Newbie Hi, I just installed the 1.8 win32 build of Snort on a win2k Server. I have having a difficult time getting the rule sets to work. I think, that I don't have the rules set up properly. Do I need to define $INTERNAL and $EXTERNAL as ip/ports somewhere? This is just for my home box. Here is the sample rule I am trying to get to work. alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS552/web-iis_IIS ISAPI Overflow ida"; dsize: >239; flags: A+; uricontent: ".ida?"; classtype: system-or-info-attempt; reference: arachnids,552;) Thanks for any help, it is greatly appreciated. - Jwatch
Current thread:
- Snort Newbie Jason Withrow (Sep 15)
- PS: Snort Newbie Jason Withrow (Sep 15)
- RE: Snort Newbie Neal Timm (Sep 16)
- Re: PS: Snort Newbie John Sage (Sep 16)
- PS: Snort Newbie Jason Withrow (Sep 15)