Snort mailing list archives
Re: Questions after 1.9.1 install
From: Alberto Gonzalez <albertg () wwjh net>
Date: Sat, 15 Mar 2003 01:25:44 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello all. Long time no post..
{ yawn... } Hello
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"TCP inbound to 445 \ Win2k SMB";)
Hrm... lets take a look at this (cervello is internal @ 192.168.1.4) (root@cervello)(~) cat /etc/snort/rules/local.rules alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "TCP inbound to 445 Win2k SMB"; ) Then from my gateway (root@cerebro)(~) telnet 192.168.1.4 445 Trying 192.168.1.4... telnet: connect to address 192.168.1.4: Connection refused (root@cerebro)(~) I go back to cervello (root@cervello)(~) tail -f /var/log/snort/alert [**] [1:0:0] TCP inbound to 445 Win2k SMB [**] [Priority: 0] 03/15-01:24:28.795690 192.168.1.1:44904 -> 192.168.1.4:445 TCP TTL:51 TOS:0x0 ID:12719 IpLen:20 DgmLen:40 ******S* Seq: 0x7DE72FFE Ack: 0x0 Win: 0x1000 TcpLen: 20 It worked here, verified it on linux and openbsd. (root@cervello)(~) snort -V - -*> Snort! <*- Version 1.9.1 (Build 231) By Martin Roesch (roesch () sourcefire com, www.snort.org)
And thirdly, I'm getting mass these sorts of things: [**] [117:1:1] (spp_portscan2) Portscan detected from 12.82.133.46: 6 targets 6 ports in 5 seconds [**] 03/13/03-20:09:52.818983 12.82.133.46:1034 -> 198.133.199.110:53 which is my caching-only nameserver talking outbound to..
This looks like its the same situation when someone is surfing the web. Try putting the machines you want to ignore in spp_portscan2 ignorehosts, or you can use the methods discussed here[0].
- John
Cheers, Alberto Gonzalez [0] - http://www.theadamsfamily.net/~erek/snort/ignore.txt - -- "Success comes to the person who does today, what you are thinking of doing tomorrow." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+csdsa3vAB/3yp/IRAqJ3AJ4lCA2vbwcwotGhLr+/IaF1HDTSAwCg02m4 VIiaKgxuR3ZFXpqtW38uAPg= =62Cb -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Questions after 1.9.1 install John Sage (Mar 14)
- Re: Questions after 1.9.1 install Alberto Gonzalez (Mar 14)
- Re: Questions after 1.9.1 install John Sage (Mar 15)
- Re: Questions after 1.9.1 install Alberto Gonzalez (Mar 15)
- Re: Questions after 1.9.1 install John Sage (Mar 15)
- Re: Questions after 1.9.1 install Erek Adams (Mar 15)
- Re: Questions after 1.9.1 install John Sage (Mar 15)
- Re: Questions after 1.9.1 install Erek Adams (Mar 15)
- Re: Questions after 1.9.1 install John Sage (Mar 15)
- Re: Questions after 1.9.1 install Chris Green (Mar 21)
- Re: Questions after 1.9.1 install Alberto Gonzalez (Mar 14)