Snort mailing list archives

Newbie Q on making it work

From: Faber Fedor <faber () linuxnj com>
Date: Tue, 26 Nov 2002 19:37:31 -0500

Hi there!

I'm setting up a Snort-based NIDS using snort (duh), and ACID.  I'll
also probably use SAM and loghog and maybe mudpit.  Before I decide to
use them, I need to get some data to crunch and that's where things are
falling down.

The short of it: my problem is that I can only see activity on the local
network to the local network.  I surf to the snort box, I see it in
ACID.  I surf to slashdot, I see nothing.

The long of it: I am running Red Hat Linux 7.3, snort-1.9.0-1snort and
snort-mysql-1.9.0-1snort with mysql-server-3.23.49-3 and acid-0.9.6b13.
I'm using two NICS on a 1.2 GHz PIII with 512M memory.  eth0 has no IP
address and eth1 has an address of 192.168.1.251.  The local subnet is
192.168.1.0/24 sitting behind a Linksys firewall with default settings
and the latest firmware upgrade.  Everything is plugged into one or more
Linksys hubs; no switches are invloved.

I execute snort from an rc script wherein the relevant lines are

    daemon /usr/sbin/snort-mysql -U -b -d -D -c /etc/snort/snort.conf -i eth0
    daemon /usr/sbin/snort-mysql -U -b -d -D -c /etc/snort/snort.conf -i eth1

I have commented out all of the rules file in /etc/snort/snort.conf
except for local.rules.  The only rule in local/rules is

alert tcp $HOME_NET any -> $EXTERNAL_NET any  (msg:"Any access";
classtype:policy-violation; sid:1436; rev:2;)

(wrapped here, but on one line in the local.rules file).

$HOME_NET and $EXTERNAL_NET are set as "any".  Logging was set as

   output database: log, mysql, user=snort password=xxxx dbname=snort host=127.0.0.1

but is now set at

   output database: alert, mysql, user=snort password=xxxx dbname=snort host=127.0.0.1

with no seeming effect.

As I mentioned above: I can see local traffic just fine, but I can't see
anything going in or out of the network.  

I tested the same setup (without the local rules and all of the default
rules turned on, including multimedia.rules, pron.rules, and mp3.rules)
on a collge network and the only data I captured was mutlicast signals
of the local Windows boxes trying to contact a UPnP server.

What am I doing wrong? 

-- 
 
Regards,
 
Faber                     

Linux New Jersey: Open Source Solutions for New Jersey
http://www.linuxnj.com





-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Newbie Q on making it work Faber Fedor (Nov 26)
- Re: Newbie Q on making it work Matt Kettler (Nov 26)
  - Re: Newbie Q on making it work twig les (Nov 26)
- <Possible follow-ups>
- RE: Newbie Q on making it work Slighter, Tim (Nov 27)
  - Re: Newbie Q on making it work Faber Fedor (Nov 27)
- RE: Newbie Q on making it work Tom Sevy (Nov 27)