Re: : Configuration HELP! (understanding alerts and proxies)

["Scot Scot" <scotw () hotmail com>]

Correct me if I'm wrong on this one, your

 var HOME_NET x.x.x.243/32

is specifing a single host as the HOME_NET. Naturally you will only see
traffic from one host with a single host as a variable.

Have you tried

var HOME_NET any

for troubleshooting purposes?


----- Original Message -----
From: "Matt Kettler" <mkettler () evi-inc com>
To: "Jason Martin" <jmartin () hhsc org>; "SNORT LIST (E-mail)"
<snort-users () lists sourceforge net>
Sent: Wednesday, June 12, 2002 5:51 PM
Subject: Re: : [Snort-users] Configuration HELP! (understanding alerts and
proxies)


> Ok, that clears things up a little bit.
>
>
>
> First question what version of snort are you running?
>
> You've said it's a 1.8 win32 port. Which one? If it is older than snort
> 1.8.5, upgrade. Some members of the 1.8.x family had very significant bugs
> and I'd not even bother trying to determine if it's a config file problem
> if you're running one. (ie: strange bugs in stream processing, strange
bugs
> in the frag reassembler)
>
> http://www.snort.org/dl/binaries/
>
> In general your config in your original email looks "good" at first
glance,
> and that alert should not have occurred unless the proxy attempt rule you
> are using is any -> any instead of EXTERNAL_NET -> HOME_NET.
>
> You could try this:
>
> replace this:
>
> var HOME_NET x.x.x.243/32
>
> with
>
> var HOME_NET [x.x.x.243/32]
>
> I know you should only need the braces for multi-IP cases, but I always
use
> them myself. I doubt it will fix it, but won't take long to try.
>
>
>
> At 11:51 AM 6/12/2002 -1000, Jason Martin wrote:
> > Let me follow-up on this before I get similar responses. I don't think I
was
> > very clear.
> > x.x.90.77 is a test machine I am using to scan my x.x.90.243 machine.
The
> > proxy scan is part of the scan I am using to emulate a PROXY scan
attempt.
> > The problem is the scan was from x.x.x.77 but my logs only show the ACK
of
> > my machine responding to x.x.x.77's request SYN port scan of my machine
on
> > that port.  None of the other signatures for the port scan show up, in
fact
> > the only reason this was logged was because of the traffic generated by
> > x.x.x.243.  I'm looking for someone to point out where I misconfigured my
> > config file so that it is detecting ONLY traffic generated by x.x.x.243
even
> > though I have it in my portscan-ignore section.  I guess it's two part;
why
> > is it not detecting any external scans, and why is it not pre-processing
my
> > ignore variable.
> > Problem in a nutshell:
> > IDS Signatures when scans are run from x.x.x.243 are captured in Logs.
ALL
> > scans from various other tests machines against x.x.x.243 do not log.  I
do
> > however see the traffic when I am running snort -dev -c snort.conf, so
the
> > interface is grabbing the packets.  I think I mis-configured my config
file
> > so it doesn't know how to properly alert me.  Or I'm just not making any
> > sense and the way I'm phrasing my problem isn't coming across correctly.
I
> > hope this made things a little clearer.
> >         ~Jason
>
>
> _______________________________________________________________
>
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users