Snort mailing list archives
Re: Is this config. ok
From: Kenny D <bitored2002 () yahoo com au>
Date: Fri, 22 Feb 2002 03:33:41 +1100 (EST)
Yes, but if the snort host only looks at the firewall port the scan on the internal network will be across the switch and the only 2 ports involved is the port being scanned and my workstation port which is scanning. Snort wont see it because it doesnt go via the port its looking at. I am right or wrong? --- Mike_Sands () elementk com wrote: >
you should see the scan if it is targeted to the snort host. for example if my snort server is 172.16.1.5 and i run a the following command on my workstation # nmap 192.168.5.28 Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ ) Interesting ports on (172.16.1.5): (The 1518 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 80/tcp open http 111/tcp open sunrpc 443/tcp open https 3306/tcp open mysql Nmap run completed -- 1 IP address (1 host up) scanned in 1 second I should see the above scan in my snort logs. Mike Sands ecurity / Network Engineer Office: (585) 214-1936 Fax: (585) 295-7162 Cell: 716-303-3245 Element K 'the knowledge catalyst' www.elementk.com Kenny D <bitored2002 () yahoo com au> To: Mike_Sands () elementk com Sent by: cc: snort users <snort-users () lists sourceforge net> snort-users-admin@lists.sourc eforge.net Subject: Re: [Snort-users] Is this config. ok 02/21/2002 10:37 AM Mike, The variable is set to DNS hosts (i havent specified any). When i scan from inside i dont get any alerts. However i have a switched environment and all that is replicated to snort is traffic from the firewall destined for the inside therefore i would not expect an internal scan to work, unless i had hubs. Does this sound correct? When i changed by home network to any and port mirroring to receive and transmit and then do a scan i got alerts. So i proved snort works, correct? So to recap if i redirect incoming traffic on the firewalls inside interface to snort and dont get any alerts it means my firewall is doingt a good job because with the above we proved snort works. Again i really appreciate your help as i hope to put this into production soon, just want to make sure i have set things up correctly. --- Mike_Sands () elementk com wrote: >no it should only ignore scans that are in the portscan-ignorehosts variable Mike Sands Security / Network Engineer Office: (585) 214-1936 Fax: (585) 295-7162 Cell: 716-303-3245 Element K 'the knowledge catalyst' www.elementk.com |--------+---------------------------------------> | | Kenny D | | | <bitored2002 () yahoo com au> | | | Sent by: | | | snort-users-admin@lists.sourc| | | eforge.net | | | | | | | | | 02/21/2002 09:27 AM | | | | |--------+--------------------------------------->
------------------------------------------------------------------------------------------------------------|
| | | To: Mike_Sands () elementk com | | cc: snort users <snort-users () lists sourceforge net> | | | | Subject: Re: [Snort-users] Is this config. ok |
------------------------------------------------------------------------------------------------------------|
If its setup right should it not ignore scans from the inside and only look from scans coming for the outside. Is that not the default way snort works? I set up my port mirroring for traffic that my inside interface recieves (ie going towards my inside private network). Thanks. --- Mike_Sands () elementk com wrote: >It looks right. you may be right that yourfirewallis doing a good job. As a test you could run a scan on the box directlyfroma machine that is behind the firewall. If snort alerts on the scan then things are probably good. Mike Sands Security / Network Engineer Office: (585) 214-1936 Fax: (585) 295-7162 Cell: 716-303-3245 Element K 'the knowledge catalyst' www.elementk.com Kenny D <bitored2002@yah To: Mike_Sands () elementk com
=== message truncated === http://movies.yahoo.com.au - Yahoo! Movies - Vote for your nominees in our online Oscars pool. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is this config. ok Kenny D (Feb 20)
- <Possible follow-ups>
- RE: Is this config. ok Wirth, Jeff (Feb 20)
- Re: Is this config. ok Kenny D (Feb 21)
- Re: Is this config. ok Kenny D (Feb 21)
- Re: Is this config. ok Mike_Sands (Feb 21)
- Re: Is this config. ok Kenny D (Feb 21)
- Re: Is this config. ok Kenny D (Feb 21)