Snort mailing list archives
FW: Portscan2 woes
From: "Robin Brown" <robin_brown () totalcomm com>
Date: Fri, 2 May 2003 15:31:53 -0400
Doh, I had tried the ignoreports-from: and ignoreports-to: settings but with IP adresses not ports!!!! My false postivies have already dropped off. Thanks so much. -Robin --__--__-- Message: 5 From: "Gavin Lowe" <gavin () vanderwell com> To: <snort-users () lists sourceforge net> Subject: FW: [Snort-users] Portscan2 woes Date: Fri, 2 May 2003 11:15:36 -0600 Robin, I found the answer to that in the archive yesterday. Was having the same problem on my Win2000 box. Add these params to your config file: preprocessor portscan2-ignorehosts: $DNS_SERVERS preprocessor portscan2-ignoreports-to: 80 53 preprocessor portscan2-ignoreports-from: 80 Gavin Lowe Programmer / Network Administrator glowe () vanderwell com -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Robin Brown Sent: Friday, May 02, 2003 10:04 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Portscan2 woes I'd like to use it, but I keep getting alerted on what looks like normal return web traffic: 05/02-08:27:27.107257 TCP src: 64.28.64.81 dst: 10.10.10.1 sport: 80 dport: 47493 tgts: 1 ports: 11 flags: ***A**S* event_id: 0 --__--__-- Message: 6 From: "Sadanapalli, Pradeep Kumar (MED, TCS)" <Pradeep.Sadanapalli () med ge com> To: snort-users () lists sourceforge net Date: Fri, 2 May 2003 12:37:29 -0500 Subject: [Snort-users] Snort with DHCP This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C310D1.8113E5C0 Content-Type: text/plain; charset="ISO-8859-1" Hi everyone, First of all, I thank one and all for all your help to me through your responses. I am running snort-1.9.1 on RedHat 8.0 . I am running snort on my workstation as a personal intrusion desktop system. I only bother about the traffic through my system. So in my "snort.conf" file, I edited the below line "var HOME_NET 10.1.2.30/24" to "var HOME_NET my-IP-address" It works fine. But now I am not using a static IP. I am using DHCP for this, so the IP keeps changing always. So how should I modify the snort.conf file , that always sets to the IP address of my system. I mean , instead of mentioning my IPADRESS in "var HOME_NET IPADDRESS" , is there any other to configure it,(say a variable or so) that sets the HOME_NET to my IP Address whatever it is? Please help me. Thanks in adnace... Pradeep ------_=_NextPart_001_01C310D1.8113E5C0 Content-Type: text/html; charset="ISO-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <META content="MSHTML 5.00.2314.1000" name=GENERATOR> <STYLE>P.MsoNormal { FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt } LI.MsoNormal { FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt } DIV.MsoNormal { FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt } A:link { COLOR: blue; TEXT-DECORATION: underline } SPAN.MsoHyperlink { COLOR: blue; TEXT-DECORATION: underline } A:visited { COLOR: purple; TEXT-DECORATION: underline } SPAN.MsoHyperlinkFollowed { COLOR: purple; TEXT-DECORATION: underline } SPAN.EmailStyle17 { COLOR: windowtext; FONT-FAMILY: Arial } DIV.Section1 { page: Section1 } </STYLE> </HEAD> <BODY lang=EN-US link=blue vLink=purple> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003>Hi everyone,</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003>First of all, I thank one and all for all your help to me through your responses. </SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003>I am running snort-1.9.1 on RedHat 8.0 . I am running snort on my workstation as a personal</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003>intrusion desktop system. I only bother about the traffic through my system. </SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003>So in my "snort.conf" file, I edited the below line</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003>"var HOME_NET 10.1.2.30/24" to</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003>"var HOME_NET my-IP-address"</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003>It works fine. But now I am not using a static IP. I am using DHCP for this, so the IP keeps changing always.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003>So how should I modify the snort.conf file , that always sets to the IP address of my system.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003>I mean , instead of mentioning my IPADRESS in "var HOME_NET IPADDRESS" ,</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003>is there any other to configure it,(say a variable or so) that sets the HOME_NET to my IP Address whatever it is?</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003>Please help me.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003>Thanks in adnace...</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003>Pradeep</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=900562617-02052003></SPAN></FONT> </DIV></BODY></HTML> ------_=_NextPart_001_01C310D1.8113E5C0-- --__--__-- Message: 7 Date: Fri, 02 May 2003 12:53:30 -0500 From: David Alonso De La Vega Tapage <delavegad () bancoaliado com> To: Snort-users () lists sourceforge net Subject: [Snort-users] Archieving Snort Data - Best time HI all .. i would check some mails in the list about snort archieving methods .. In my case for auditing objetives. In your experience wath is teh best form .. ? other DB with same structura of snort .. and pass all data .. or only backup for snort files as .. alert, log or portscan .. Thanx .. and Cheers .. David Alonso --__--__-- Message: 8 Date: Fri, 02 May 2003 10:44:05 -0700 From: Terence Runge <terencerunge () sbcglobal net> To: gcunnin2 () bellsouth net CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] What NICs are people using? Have you tried this on a Compaq DL380 with dual ports nics? I have this set up in multiple locations and have not experienced any driver conflicts. This is a RedHat 7.2 build with the Compaq drivers. http://h18007.www1.hp.com/support/files/server/us/locate/86_1342.html It looks like these have been upgraded as of April 23, 2003, so I can't directly tell you if they will work. The e100-2.1.29 drivers worked with the following Intel network adapters: 82558 PRO/100+ Dual Port Server Adapter 714303-xxx, 711269-xxx, A28276-xxx 82550 PRO/100 S Dual Port Server Adapter A56831-xxx Following is some information from Compaq that might help. -Terence ============ For the build to work properly it is important that the currently running kernel MATCH the version and configuration of the installed kernel source. If you have just recompiled your kernel, reboot the system and choose the correct kernel to boot. 1. Move the base driver tar file to the directory of your choice. For example, use: /home/username/e100 or /usr/local/src/e100. 2. Untar/unzip the archive by entering the following, where <x.x.x> is the version number for the driver tar: tar xfz e100-<x.x.x>.tar.gz 3. Change to the driver src directory by entering the following, where <x.x.x> is the version number for the driver tar: cd e100-<x.x.x>/src/ 4. Compile the driver module: make install The binary will be installed as one of the following: /lib/modules/<kernel_version>/kernel/drivers/net/e100.o /lib/modules/<kernel_version>/net/e100.o The install locations listed above are the default locations. They may not be correct for certain Linux distributions. For more information, see the ldistrib.txt file included in the driver tar. 5. Install the module: insmod e100 <parameter>=<value> 6. Assign an IP address to the interface by entering the following, where <x> is the interface number: ifconfig eth<x> <IP_address> 7. Verify that the interface works. Enter the following, where <IP_address> is the IP address for another machine on the same subnet as the interface that is being tested: ping <IP_address> Due to the ARP behavior on Linux, it is not possible to have one system on two IP networks in the same Ethernet broadcast domain (non-partitioned switch) behave as expected. All Ethernet interfaces will respond to IP traffic for any IP address assigned to the system. This results in unbalanced receive traffic. When this occurs, transmits and receives for a single conversation can be split across different network interfaces. Additionally, the server might have up to twice as much transmit capacity as receive capacity, which can result in the receive side being overrun and dropping receives. If you have multiple interfaces in a server, install them in different switches or partition the switch into VLANs to prevent broadcast traffic from going to the wrong interface. This does not apply when using a teaming solution, like ANS. ======== Gordon Cunningham wrote:
Situation: RedHat (choice of version, 7.3+), snort, multiple segments
to
monitor (up to 4), barnyard, MySQL, Webmin, etc. RedHat says the use of multiple same-chipset Intel Pro100 NICs won't
work
due to a bug in the driver. I need to find a solution to support up to
4
sniffing promiscuous Ethernet ports - 2 dual-port NICs or single
4-port?
Q: What brand/model of multiple NICs are you using to support sniffing
up
to 4 segments (5th separate NIC for management interface) on RedHat
systems?
Q: Do the dual- or multi-port NICs work? Q: Should I move to another OS? Didn't find much in the archives... Thanks. - Gordon Loved this so much I ripped it: "The software said it requires Windows
98
or better, so I installed Linux..."
--__--__-- Message: 9 Date: Fri, 2 May 2003 13:51:52 -0400 (EDT) From: Erek Adams <erek () snort org> To: "Sadanapalli, Pradeep Kumar (MED, TCS)" <Pradeep.Sadanapalli () med ge com> cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort with DHCP On Fri, 2 May 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote: [...snip...]
I am running snort-1.9.1 on RedHat 8.0 . I am running snort on my workstation as a personal intrusion desktop system. I only bother about the traffic through my system.
Upgrade to 2.0. There's a couple of nasty bugs in 1.9.x including a remote root possibility.
So in my "snort.conf" file, I edited the below line "var HOME_NET 10.1.2.30/24" to "var HOME_NET my-IP-address" It works fine. But now I am not using a static IP. I am using DHCP for this, so the IP keeps changing always. So how should I modify the snort.conf file , that always sets to the
IP
address of my system. I mean , instead of mentioning my IPADRESS in "var HOME_NET IPADDRESS"
,
is there any other to configure it,(say a variable or so) that sets
the
HOME_NET to my IP Address whatever it is?
If your listening interface is eth0 then define it like: var HOME_NET $eth0_ADDRESS Right there in the snort.conf.... Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- Message: 10 Reply-To: <gcunnin2 () bellsouth net> From: "Gordon Cunningham" <gcunnin2 () bellsouth net> To: "Terence Runge" <terencerunge () sbcglobal net> Cc: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] What NICs are people using? Date: Fri, 2 May 2003 14:07:11 -0400 Thanks Terrence, we'll probably have to use Dell workstation-class systems due to cost factors. I have used Intel dual-port cards in the past, but not under Linux. - Gordon "The software said it requires Windows 98 or better, so I installed Linux..." -----Original Message----- From: Terence Runge [mailto:terencerunge () sbcglobal net] Sent: Friday, May 02, 2003 1:44 PM To: gcunnin2 () bellsouth net Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] What NICs are people using? Have you tried this on a Compaq DL380 with dual ports nics? I have this set up in multiple locations and have not experienced any driver conflicts. This is a RedHat 7.2 build with the Compaq drivers. http://h18007.www1.hp.com/support/files/server/us/locate/86_1342.html It looks like these have been upgraded as of April 23, 2003, so I can't directly tell you if they will work. The e100-2.1.29 drivers worked with the following Intel network adapters: 82558 PRO/100+ Dual Port Server Adapter 714303-xxx, 711269-xxx, A28276-xxx 82550 PRO/100 S Dual Port Server Adapter A56831-xxx Following is some information from Compaq that might help. -Terence ============ For the build to work properly it is important that the currently running kernel MATCH the version and configuration of the installed kernel source. If you have just recompiled your kernel, reboot the system and choose the correct kernel to boot. 1. Move the base driver tar file to the directory of your choice. For example, use: /home/username/e100 or /usr/local/src/e100. 2. Untar/unzip the archive by entering the following, where <x.x.x> is the version number for the driver tar: tar xfz e100-<x.x.x>.tar.gz 3. Change to the driver src directory by entering the following, where <x.x.x> is the version number for the driver tar: cd e100-<x.x.x>/src/ 4. Compile the driver module: make install The binary will be installed as one of the following: /lib/modules/<kernel_version>/kernel/drivers/net/e100.o /lib/modules/<kernel_version>/net/e100.o The install locations listed above are the default locations. They may not be correct for certain Linux distributions. For more information, see the ldistrib.txt file included in the driver tar. 5. Install the module: insmod e100 <parameter>=<value> 6. Assign an IP address to the interface by entering the following, where <x> is the interface number: ifconfig eth<x> <IP_address> 7. Verify that the interface works. Enter the following, where <IP_address> is the IP address for another machine on the same subnet as the interface that is being tested: ping <IP_address> Due to the ARP behavior on Linux, it is not possible to have one system on two IP networks in the same Ethernet broadcast domain (non-partitioned switch) behave as expected. All Ethernet interfaces will respond to IP traffic for any IP address assigned to the system. This results in unbalanced receive traffic. When this occurs, transmits and receives for a single conversation can be split across different network interfaces. Additionally, the server might have up to twice as much transmit capacity as receive capacity, which can result in the receive side being overrun and dropping receives. If you have multiple interfaces in a server, install them in different switches or partition the switch into VLANs to prevent broadcast traffic from going to the wrong interface. This does not apply when using a teaming solution, like ANS. ======== Gordon Cunningham wrote:
Situation: RedHat (choice of version, 7.3+), snort, multiple segments
to
monitor (up to 4), barnyard, MySQL, Webmin, etc. RedHat says the use of multiple same-chipset Intel Pro100 NICs won't
work
due to a bug in the driver. I need to find a solution to support up to
4
sniffing promiscuous Ethernet ports - 2 dual-port NICs or single
4-port?
Q: What brand/model of multiple NICs are you using to support sniffing
up
to 4 segments (5th separate NIC for management interface) on RedHat
systems?
Q: Do the dual- or multi-port NICs work? Q: Should I move to another OS? Didn't find much in the archives... Thanks. - Gordon Loved this so much I ripped it: "The software said it requires Windows
98
or better, so I installed Linux..."
--__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan2 woes Robin Brown (May 02)
- Re: Portscan2 woes Matt Kettler (May 02)
- Re: Portscan2 woes Erek Adams (May 02)
- <Possible follow-ups>
- FW: Portscan2 woes Gavin Lowe (May 02)
- FW: Portscan2 woes Robin Brown (May 02)
- Re: Portscan2 woes Matt Kettler (May 02)