Snort mailing list archives
Re: Is this config. ok
From: Mike_Sands () elementk com
Date: Thu, 21 Feb 2002 10:07:39 -0500
no it should only ignore scans that are in the portscan-ignorehosts variable Mike Sands Security / Network Engineer Office: (585) 214-1936 Fax: (585) 295-7162 Cell: 716-303-3245 Element K 'the knowledge catalyst' www.elementk.com |--------+---------------------------------------> | | Kenny D | | | <bitored2002 () yahoo com au> | | | Sent by: | | | snort-users-admin@lists.sourc| | | eforge.net | | | | | | | | | 02/21/2002 09:27 AM | | | | |--------+---------------------------------------> >------------------------------------------------------------------------------------------------------------| | | | To: Mike_Sands () elementk com | | cc: snort users <snort-users () lists sourceforge net> | | | | Subject: Re: [Snort-users] Is this config. ok | >------------------------------------------------------------------------------------------------------------| If its setup right should it not ignore scans from the inside and only look from scans coming for the outside. Is that not the default way snort works? I set up my port mirroring for traffic that my inside interface recieves (ie going towards my inside private network). Thanks. --- Mike_Sands () elementk com wrote: >
It looks right. you may be right that your firewall is doing a good job. As a test you could run a scan on the box directly from a machine that is behind the firewall. If snort alerts on the scan then things are probably good. Mike Sands Security / Network Engineer Office: (585) 214-1936 Fax: (585) 295-7162 Cell: 716-303-3245 Element K 'the knowledge catalyst' www.elementk.com Kenny D <bitored2002@yah To: Mike_Sands () elementk com oo.com.au> cc: snort users <snort-users () lists sourceforge net> 02/21/2002 07:28 Subject: Re: [Snort-users] Is this config. ok AM Hi, By very quiet i mean no alerts whatsoever, i assume a). my router and firewall is doing a good or b). i have do something wrong. When i an a rule for any traffic coming in i see plenty going on so maybe my config is ok. An external scna using superscan gave nothing. The snort options i use are as follows c:\snort.exe -c c:\snort\snort.conf -h 172.17.1.0/24 -i 1 Does this all sound rerasonable, Appreciate your comments. --- Mike_Sands () elementk com wrote: >It sounds like you have everything set upcorrectly.By "very quiet" do you mean that there are no alerts at all? If you did some sort of nmap scan of the internal network I really should show up inyourportscan.log file. Just for Yuks you may want to try and set yourhomenetwork to 'any' and scan again. Also how are you running snort? What flags are you using on the command line? Mike Sands Security / Network Engineer Office: (585) 214-1936 Fax: (585) 295-7162 Cell: 716-303-3245 Element K 'the knowledge catalyst' www.elementk.com Kenny D <bitored2002 () yahoo com au> To: snort users <snort-users () lists sourceforge net> Sent by: cc: snort-users-admin@lists.sourc eforge.net Subject: [Snort-users] Is this config. ok 02/20/2002 12:02 PM Hi, I have setup snort and it is very quiet. I justwantto make sure everything i done is correct. I have set it up as follows internet -- router --- (public ip outside)pix(inside172.16.1.1) --- (172.16.1.2) 3005Concentrator (172.17.1.1) --- my insidenetworkon 172.17.1.0 My snort machine is monitoring all traffic coming from the pix inside interface, i am using span port mirroring on my switch. When i turn on alert tcpanyany -> any any i do see plenty of traffic goingbackand forward. However when i turn it off it is very quiet. I assume my router and firewall is doing a good job but how can i be sure it all works. Anexternalscan didnt create any alerts. I set my homenetworkin snort to 172.17.1.0 Can anyone help me here? Thanks. http://movies.yahoo.com.au - Yahoo! Movies - Vote for your nominees in our online Oscarspool._______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
http://movies.yahoo.com.au - Yahoo! Movies - Vote for your nominees in our online Oscars pool.
http://movies.yahoo.com.au - Yahoo! Movies - Vote for your nominees in our online Oscars pool. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is this config. ok Kenny D (Feb 20)
- <Possible follow-ups>
- RE: Is this config. ok Wirth, Jeff (Feb 20)
- Re: Is this config. ok Kenny D (Feb 21)
- Re: Is this config. ok Kenny D (Feb 21)
- Re: Is this config. ok Mike_Sands (Feb 21)
- Re: Is this config. ok Kenny D (Feb 21)
- Re: Is this config. ok Kenny D (Feb 21)