Snort mailing list archives
SV: SV: Snort doesnt detect traffic.
From: <Magnus.M.Glantz () telia se>
Date: Thu, 30 May 2002 21:57:20 +0200
Ahrgh. 10000 thanks for your help. After doing a move in-depth checkout of my " *hub " i found out it had some switching capabilites that prolly is making life hard for me. *http://www.3com.com/products/en_US/detail.jsp?tab=features&pathtype=purchase&sku=3C16751B-US Cheers, //Magnus Glantz PS, How many additional glasses of XxX does this mean? -----Ursprungligt meddelande----- Från: Erek Adams [mailto:erek () theadamsfamily net] Skickat: to 2002-05-30 20:35 Till: Glantz, Magnus M. /Communications /070-211 99 22, 070-211 99 22 Kopia: snort-users () lists sourceforge net Ämne: Re: SV: [Snort-users] Snort doesnt detect traffic. On Thu, 30 May 2002 Magnus.M.Glantz () telia se wrote: [...snip...] > >>var HOME_NET 192.168.135.0/24 > >>var EXTERNAL_NET !$HOME_NET > > > Will that work? It _should_. See below... > The scenario when an IP-adress that is not 192.168.135.0/24 comes into the > net, doesnt exist. there is no routing between the private network i'm > defending and the Internet/my other private network. Well, Since the ASCII drawing was a bit funky (hint: Use some non-proportional font to draw in, it converts over to other terms a lot better), but If I read it right it's something like: other net---mysql---hub---Snort / | \ / | \ / | \ / | \ box1 box2 box3 | | | \ | / Internet > What i'm afraid, is that box1, box2 or box3 get's hacked (they are conencted > to the internet) and tries to hack my MsSQL server.. so i wanna sniff for > known attacks, and traffic that is between box1, box2, box3 <-> mssql > server, and does not goto the sqlport on the mssql server. If the above diagram is correct, and I understand correctly, box[1-3] are directly connected to the net. If those boxes attempt to connect to your MySQL servr you want snort to trigger an alert. If all boxes are out of the same private net address space (192.168.135.0/24) then your rule could be something like: alert any any any -> $SQL_SERVERS !1433 (msg:"Connect to SQL Server!" flags:A+; classtype:attempted-user;) This assumes that you've filled in $SQL_SERVERS with the IP of your MySQL box. My rule syntax might be off a bit, I've left my 'rule book' at the office. :-( (Corrections welcome!) > To my knowledge, it is a 'dumb' hub. I know it's not a switch anyways. > > But maybe it got some "switch" properies that is messing up my sniffing? If it says 10/100 autosensing Hub, then there stands a good (65%+) chance that it's one of these 'switching hubs' mentioned in that FAQ link. To verify, try to scrounge up a 10mbs hub and use it there instead. I know thats not a perfect solution, but it might help. Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort doesnt detect traffic. Magnus.M.Glantz (May 29)
- Re: Snort doesnt detect traffic. Erek Adams (May 29)
- <Possible follow-ups>
- SV: Snort doesnt detect traffic. Magnus.M.Glantz (May 30)
- Re: SV: Snort doesnt detect traffic. Erek Adams (May 30)
- SV: SV: Snort doesnt detect traffic. Magnus.M.Glantz (May 31)
- Re: SV: SV: Snort doesnt detect traffic. Erek Adams (May 30)