Re: Questions after 1.9.1 install

[John Sage <jsage () finchhaven com>]

Hey Erek, thanks for the sendmail help. Now that that's at least
kinda working, it's on to more important stuff :-)

On Sat, Mar 15, 2003 at 10:49:30AM -0500, Erek Adams wrote:
> On Fri, 14 Mar 2003, John Sage wrote:
>
> > Hello all. Long time no post..
>
> Yeah, what's up with that?  You slacker!  ;-)

heh..

Basically, 1.8.7 worked so well that I've just been lurking. Been so
busy with other stuff that I haven't been a real participant..

> > Finally put 1.9.1 on after rebuilding my firewall to get into the
> > 2.4.18 Linux kernel series, and have I got questions :-/
> >
> >
> > First of all, the tcpdump logfile is timestamped in UNIX time:
> >
> > 901956 Mar 12 20:31 snort.log.1047528578
>
> Normal.  Been that way since 1.8.6/7, IIRC.

hrm.. Don't recall seeing this until I got fancy and put on 1.9.1, on
top of a complete rebuild: KRUD Linux 7.3, which is basically Red Hat,
fully patched, with a lot of extras Red Hat doesn't distribute.. Teach
me to get fancy and try to maintain my systems :-/


> > Second, this rule is firing:
> >
> > alert tcp $EXTERNAL_NET 1025:4320 -> $HOME_NET any (msg:"TCP inbound \
> > from range 1025-4320";)
> >
> > but this one isn't:
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"TCP inbound to 445 \
> > Win2k SMB";)
> >
> > even though I would think that the RTN list would check a specific
> > port before a port list..
> >
> > Here's the alert itself:
> >
> > [**] [1:0:0] TCP inbound from range 1025-4320 [**]
> > [Priority: 0]
> > 03/13/03-20:24:48.401161 209.181.67.217:3195 -> 12.82.133.46:445
> > <snip>
>
> Ok, may be a silly question, but which rule is first?  1.9.x still uses
> FIFO to order the rules in the RTN list.  Swap the order for grins?

Not at all: I should have mentioned that. The specific port rule is
first, followed by port ranges after..

Is there any mandatory rule syntax for 1.9.1 that I'm not aware of?

Or do both rules look syntactically correct for 1.9.1?

By some chance does -o re-order (reverse-order) rules *within* the
class "alert", as well as re-oder the classes of rules themselves?


> > And thirdly, I'm getting mass these sorts of things:
> >
> > [**] [117:1:1] (spp_portscan2) Portscan detected from 12.82.133.46:
> > 6 targets 6 ports in 5 seconds [**]
> > 03/13/03-20:09:52.818983 12.82.133.46:1034 -> 198.133.199.110:53

<snip>

> Yep, portscan2 is a noisy lil bugger.  Either use preprocessor
> portscan2-ignorehosts: 12.82.133.46 or use s BPF filter to drop that
> traffic.
>
>       src host 12.82.133.46 and dst host 198.133.199.110 and dst port 53

Suspected as much.

Dynamic IP address: can portscan2-ignorehosts reference $HOME_NET or
ppp0_ADDRESS?


/* puff.. too much to think about.. */


- John
-- 
"You must define an operating system environment,
 or the configuration file build will puke."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users