Snort mailing list archives
Configuration issue, Part II
From: "DJDave Sobel" <dave () evolvetech com>
Date: Sun, 23 Sep 2001 23:10:07 -0400
First off, thanks to everyone who's lended a hand -- I do appreciate it. Let me know where to send the coffee and/or beer... Now, to save bandwidth, I compiled my answers to everyone's questions into this one email. :) Thus, those not interested only need ignore one message. First off, to answer Erik Adams (erek () theadamsfamily net): Tell me where to send your beer... Snort is located on my Linux router, so it's on a machine with 6 network interfaces. Two are connected to the Internet, and four are to the internal networks. I use ipchains to block various unfriendly traffic, and control who can see who, but all traffic passes across this machine. All the interfaces have been put into PROMISC mode (as I believed snort needed this). It's placement on this machine would make me think it can see everything that goes in and out of the network. It CAN see some traffic -- it does happily report on things it sees internally, such as samba communications and nameserver communications within the network. Additionally, it does seem to report occasional things from the outside. I performed this test, per your instructions: snort -dv host <webserver_IP> Snort displayed a great deal about communications going on within the network. However, only things within the network for the time I watched. I then went to route-server.cerf.net and pinged the same webserver -- it did NOT report anything. Next, John Sage (jsage () finchhaven com): I had the same thought you did, but was expecting rules located in web-iis.rules that contain the .ida access attempt to throw something every time a default.ida was requested. They haven't, so I'm assuming there's something else wrong. Now, John Berkers (berjo () ozemail com au): Where do you want your coffee? As for output plugins, you're right -- I didn't configure any. However, even in this state, snort does log alerts to /var/log/snort/alert and /var/log/snort/portscan.log . I assumed this was the default configuration, and this works for my needs right now. I thought I'd get it working before adding on a mySQL backend and such. Is this not a true assumption? If so, cool... if not, then why is it logging to these two files even without me saying so? Finally, Brian (bmc () snort org): Thanks for the catch on the portscan config. I've now set DNS_SERVERS to only be a remote DNS server I work with. Thanks again for the help and insight everyone -- I do appreciate it. Dave Stripped down snort.conf for your reading amusement, and remind you of the problem: var HOME_NET [209.190.196.160/28,209.190.206.65/32,209.190.206.66/32,209.190.206.64/3 2,10.1.0.0/24,10.2.0.0/24] var EXTERNAL_NET !$HOME_NET var SMTP $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS [207.196.42.2/32] preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS include classification.config include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include backdoor.rules include dos.rules include ddos.rules include dns.rules include netbios.rules include web-cgi.rules include web-coldfusion.rules include web-frontpage.rules include web-iis.rules include web-misc.rules include sql.rules include x11.rules include icmp.rules include misc.rules include local.rules _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Configuration issue DJDave Sobel (Sep 22)
- Re: Configuration issue John Sage (Sep 22)
- Re: Configuration issue Brian (Sep 23)
- Configuration issue, Part II DJDave Sobel (Sep 23)
- Re: Configuration issue, Part II Erek Adams (Sep 23)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- Re: Configuration issue, Part II Chris Keladis (Sep 24)
- -i switch Matthew Francis (Sep 24)
- Re: Configuration issue, Part II Chris Keladis (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- Configuration issue, Part II DJDave Sobel (Sep 23)
- RE: Configuration issue, Part II Erek Adams (Sep 24)