Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Configuration issue, Part II

From: John Sage <jsage () finchhaven com>
Date: Tue, 25 Sep 2001 05:25:15 -0700
Bob:

Bob Hillegas wrote:


John, I too use a dialup ppp connection on a firwall/IDS box. But I see
less than one percent of traffic and rarely see any packets that IPChains
logs, and I do log every DENY, REJECT.
Remember that you may have to tell snort to look at what you want to see; I'm logging or alerting on *everything* via my own rules.. 



You showed your command line. Do you mind sharing your 'cat snort.conf |
grep -v ^# | grep -v ^$'?




Here you go:

var HOME_NET $ppp0_ADDRESS
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET

preprocessor frag2
preprocessor stream4: detect_scans, detect_state_problems
preprocessor stream4_reassemble: ports all
preprocessor unidecode: 80
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log

output alert_syslog: LOG_DAEMON LOG_ALERT
output alert_full: /var/log/snort/alertREL.full

include classification.config
alert tcp 127.0.0.0/8 any -> $HOME_NET any (msg: "Alert: tcp from 127 block";) alert udp 127.0.0.0/8 any -> $HOME_NET any (msg: "Alert: udp from 127 block";) alert icmp 127.0.0.0/8 any -> $HOME_NET any (msg: "Alert: icmp from 127 block";)
alert tcp 192.168.0.0/16 any -> $HOME_NET any (msg: "Alert: tcp from 192-168 block";) alert udp 192.168.0.0/16 any -> $HOME_NET any (msg: "Alert: udp from 192-168 block";) alert icmp 192.168.0.0/16 any -> $HOME_NET any (msg: "Alert: icmp from 192-168 block";) 

alert tcp 10.0.0.0/8 any -> $HOME_NET any (msg: "Alert: tcp from 10 block";)
alert udp 10.0.0.0/8 any -> $HOME_NET any (msg: "Alert: udp from 10 block";)
alert icmp 10.0.0.0/8 any -> $HOME_NET any (msg: "Alert: icmp from 10 block";)
alert tcp 172.16.0.0/12 any -> $HOME_NET any (msg: "Alert: tcp from 172-[16-31] block";) alert udp 172.16.0.0/12 any -> $HOME_NET any (msg: "Alert: udp from 172-[16-31] block";) alert icmp 172.16.0.0/12 any -> $HOME_NET any (msg: "Alert: icmp from 172.[16-31] block";) 

include /usr/local/snort-1.8.1-RELEASE/tcpREL-local-lib
include /usr/local/snort-1.8.1-RELEASE/udpREL-local-lib
include /usr/local/snort-1.8.1-RELEASE/icmpREL-local-lib


OK: so what's going on with the last?
Again, what I'm doing is -b binary logging *everything* via my own rules; later on I run the logs against more conventional snort rules for analysis with a couple aliases: 

alias snort18view='snort18 -dv -i ppp0 -P 2000 -r '

and
alias snort18check='snort18 -dv -i ppp0 -l . -P 2000 -c /usr/local/snort-1.8.1-beta4/snort18check.conf -r '
that are in my .bashrc (heh.. and which I can see I need to update to RELEASE ;-)
My /usr/local/snort-1.8.1-RELEASE/*REL-local-lib rules files look something like this: 

<snip>
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"TCP to 110 pop3";)
log tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"TCP from 110 pop3";)
# alert to, log from
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"TCP to 111 sunrpc";)
alert tcp $EXTERNAL_NET 111 -> $HOME_NET any (msg:"TCP from 111 sunrpc";)
# tcp only: alert to, log from
<snip>
So for all ports, I'm either logging or alerting, either on specific ports (as above..) or on port ranges as below: 

<snip>
#
log tcp $EXTERNAL_NET any -> $HOME_NET 61000:65095 (msg:"TCP to masq range";) alert tcp $EXTERNAL_NET 61000:65095 -> $HOME_NET any (msg:"TCP from masq range";) 
# alert from until we see some, log to always
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 65096:65535 (msg:"TCP beyond masq";) alert tcp $EXTERNAL_NET 65096:65535 -> $HOME_NET any (msg:"TCP beyond masq";) 
# alert from until we see some, alert to always
#
<snip>
So this makes sure that snort is either logging or alerting on *every* packet (heh.. tcp, udp or icmp anyway..) that comes in. 

HTH..

- John


--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: