RE: SNORT newbie looking for some help with Snort on Win2k

["Michael Steele" <michaels () silicondefense com>]

Richard,

 

Sounds like you have the permissions set incorrectly for the CGI folder.
Make sure that the IUSER has full access to the folder. If you need some
guidance then you can go to our site, there you will find a complete
walk through for Windows and either Snortsnarf or for Acid as your
viewer. Let me know how thing go.

Michael Steele | Support Technician    
mailto:michaels () silicondefense com
Silicon Defense: IDS solutions - http://www.silicondefense.com
Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: Richard Roy [mailto:royr () justicetrax com] 
Sent: May 16, 2002 7:16 AM
To: 'Michael Steele'
Subject: RE: [Snort-users] SNORT newbie looking for some help with Snort
on Win2k

 

I've definately got it logging now, without IDS center.  I have it
logging to MySQL (there were 15 events at last check) but now I can not
get ACID to work at all.  I get a CGI error that "The specified CGI
application misbehaved by not returning a complete set of HTTP headers.
The headers it did return are"   But that is it, no headers are there.
It is supposed to be using PHP and the .cgi is mapped the same as .php
which didn't help.  Any thoughts?  


[Rich Roy] 

 

 

 

 

 -----Original Message-----
From: Michael Steele [mailto:michaels () silicondefense com]
Sent: Wednesday, May 15, 2002 5:29 PM
To: 'Richard Roy'
Subject: RE: [Snort-users] SNORT newbie looking for some help with Snort
on Win2k

Richard,

 

If you are not sure your logging, you can place this rule in your
local.rules file and activate the local.rules file in the snort.conf
file. Now generate some traffic with your browser and you should see
your log file grow.

 

 

alert tcp any any <> any any (msg:"alert-local test";)

 

Michael Steele | Support Technician
mailto:michaels () silicondefense com
Silicon Defense: IDS solutions - http://www.silicondefense.com
Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Richard
Roy
Sent: Wednesday, May 15, 2002 7:50 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] SNORT newbie looking for some help with Snort on
Win2k

 

I set up SNORT using IDSCentre and tested the config using the applet.
I received no error messages, the SNORT window is minimized and things
appear to work, yet there are no alerts, no log entries, nothing.  I
know we are under hits all the time, my firewall reports blocking them.


Setup: 
W2K Pro p3 733.  On a hub with router and firewall external interface.
I have 64 public IP's and I'd like to scan the range if possible.  I am
including the following.   

> From IDSCentre the command line it fires, the snort.conf file and the
screen output from the minimized snort window.  I can't quite figure out
what is wrong.  Another set of eyes looking at this is what I am hoping
someone will do and see a problem.

TIA for your help 

Rich 
PS Sorry it is a long post, but I did not want to do an attachment. 

[Begin config] 
[************cmd line*********] 
c:\snort\Snort.exe -c "c:\snort\snort.conf" -l "c:\snort\log" -h
aaa.bbb.ccc.ddd/32 -i 1 -a -b -C -d -e -O -X -I -G basic -U -y

[*NOTE, yes I blanked out my IP above.  It is a public IP*] 

 

[***********snort.conf**************] 
#-------------------------------------------------- 
#   http://www.activeworx.com Snort 1.8.6 Ruleset 
#     IDS Policy Manager Version: 1.3 Build(31) 
# Current Database Updated -- May 10, 2002 10:55 AM 
#-------------------------------------------------- 
# 
## Variables 
## --------- 
#var HOME_NET 10.1.1.0/24 
#var HOME_NET $eth0_ADDRESS 
#var HOME_NET [10.1.1.0/24,192.168.1.0/24] 
var HOME_NET any 
var EXTERNAL_NET any 
var SMTP $HOME_NET 
var HTTP_SERVERS $HOME_NET 
var SQL_SERVERS $HOME_NET 
var DNS_SERVERS $HOME_NET 
#var RULE_PATH ./ 
var RULE_PATH c:\snort\rules 
var SHELLCODE_PORTS !80 
#var SPADEDIR . 
# 
## Preprocessor Support 
## -------------------- 
preprocessor http_decode: 80 -cginull -unicode 
preprocessor rpc_decode: 111 32771 
preprocessor bo: 
preprocessor stream4: detect_scans 
preprocessor stream4_reassemble 
preprocessor portscan: $HOME_NET 4 3 portscan.log 
#preprocessor portscan-ignorehosts: 0.0.0.0 
preprocessor frag2 
preprocessor telnet_decode 
# 
# 
## Output Modules 
## -------------- 
#output database: log, unixodbc, dbname=snort user=snort host=localhost
password=test 
output CSV: log default 
output log_tcpdump: snorttcp.log 
#output xml: Log, file=/var/log/snortxml 
output log_unified: filename snort.log, limit 128 
# 
#output alert_syslog: LOG_AUTH LOG_ALERT 
#output alert_unified: filename snort.alert, limit 128 
#output trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u snortUser
-x DES -X "" -a SHA -A "" myTrapListener 
# 
## Custom Rules 
## ------------ 
ruletype suspicious 
{ 
 type log 
 output log_tcpdump: suspicious.log 
} 
ruletype redalert 
{ 
 type alert 
 output alert_syslog: LOG_AUTH LOG_ALERT 
# output database: log, mysql, user=snort dbname=snort host=localhost 
} 
#ruletype <New_Custom_Rules> 
#{ 
#} 
# 
## Include Files 
## ------------- 
include classification.config 
# 
include $RULE_PATH/bad-traffic.rules 
include $RULE_PATH/exploit.rules 
include $RULE_PATH/scan.rules 
include $RULE_PATH/finger.rules 
include $RULE_PATH/ftp.rules 
include $RULE_PATH/telnet.rules 
include $RULE_PATH/smtp.rules 
include $RULE_PATH/rpc.rules 
include $RULE_PATH/rservices.rules 
include $RULE_PATH/dos.rules 
include $RULE_PATH/ddos.rules 
include $RULE_PATH/dns.rules 
include $RULE_PATH/tftp.rules 
include $RULE_PATH/web-cgi.rules 
include $RULE_PATH/web-coldfusion.rules 
include $RULE_PATH/web-iis.rules 
include $RULE_PATH/web-frontpage.rules 
include $RULE_PATH/web-misc.rules 
include $RULE_PATH/web-attacks.rules 
include $RULE_PATH/sql.rules 
include $RULE_PATH/x11.rules 
include $RULE_PATH/icmp.rules 
include $RULE_PATH/netbios.rules 
include $RULE_PATH/misc.rules 
include $RULE_PATH/attack-responses.rules 
include $RULE_PATH/backdoor.rules 
include $RULE_PATH/shellcode.rules 
include $RULE_PATH/policy.rules 
include $RULE_PATH/porn.rules 
include $RULE_PATH/info.rules 
include $RULE_PATH/icmp-info.rules 
include $RULE_PATH/virus.rules 
#include $RULE_PATH/experimental.rules 
include $RULE_PATH/local.rules 

 

{*********Snort Screen*************} 

Log directory = c:\snort\log 

Initializing Network Interface \ 

        --== Initializing Snort ==-- 
Decoding Ethernet on interface \Device\Packet_NdisWanIp 
Initializing Preprocessors! 
Initializing Plug-ins! 
Initializating Output Plugins! 
Parsing Rules file c:\snort\snort.conf 

+++++++++++++++++++++++++++++++++++++++++++++++++++ 
Initializing rule chains... 
Stream4 config: 
    Stateful inspection: ACTIVE 
    Session statistics: INACTIVE 
    Session timeout: 30 seconds 
    Session memory cap: 8388608 bytes 
    State alerts: INACTIVE 
    Scan alerts: ACTIVE 
    Log Flushed Streams: INACTIVE 
No arguments to stream4_reassemble, setting defaults: 
     Reassemble client: ACTIVE 
     Reassemble server: INACTIVE 
     Reassemble ports: 21 23 25 53 80 143 110 111 513 
     Reassembly alerts: ACTIVE 
     Reassembly method: FAVOR_OLD 
Using GMT time 
No arguments to frag2 directive, setting defaults to: 
    Fragment timeout: 60 seconds 
    Fragment memory cap: 4194304 bytes 
ProcessFileOption: c:\snort\log/log 
WARNING: command line overrides rules file logging plugin! 
WARNING: command line overrides rules file logging plugin! 
WARNING: command line overrides rules file logging plugin! 
980 Snort rules read... 
980 Option Chains linked into 100 Chain Headers 
0 Dynamic rules 
+++++++++++++++++++++++++++++++++++++++++++++++++++ 

Rule application order:
->activation->dynamic->alert->pass->log->suspicious->red 
alert 

        --== Initialization Complete ==-- 

-*> Snort! <*- 
Version 1.8-WIN32 (Build 103) 
By Martin Roesch (roesch () sourcefire com, www.snort.org) 
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike) 
1.8-WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) 
          (based on code from 1.7 port) 

[End config]