Snort mailing list archives

FW: Portscan2 woes

From: "Robin Brown" <robin_brown () totalcomm com>
Date: Fri, 2 May 2003 15:31:53 -0400

Doh, I had tried the ignoreports-from: and ignoreports-to: settings but
with IP adresses not ports!!!!

My false postivies have already dropped off.

Thanks so much.

-Robin



--__--__--

Message: 5
From: "Gavin Lowe" <gavin () vanderwell com>
To: <snort-users () lists sourceforge net>
Subject: FW: [Snort-users] Portscan2 woes
Date: Fri, 2 May 2003 11:15:36 -0600

Robin,

I found the answer to that in the archive yesterday.  Was having the
same problem on my Win2000 box.

Add these params to your config file:

preprocessor portscan2-ignorehosts: $DNS_SERVERS
preprocessor portscan2-ignoreports-to: 80 53
preprocessor portscan2-ignoreports-from: 80


Gavin Lowe
Programmer / Network Administrator
glowe () vanderwell com


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Robin
Brown
Sent: Friday, May 02, 2003 10:04 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Portscan2 woes

I'd like to use it, but I keep getting alerted on what looks like normal
return web traffic:

05/02-08:27:27.107257 TCP src: 64.28.64.81 dst: 10.10.10.1 sport: 80
dport: 47493 tgts: 1 ports: 11 flags: ***A**S* event_id: 0









--__--__--

Message: 6
From: "Sadanapalli, Pradeep Kumar (MED, TCS)"
         <Pradeep.Sadanapalli () med ge com>
To: snort-users () lists sourceforge net
Date: Fri, 2 May 2003 12:37:29 -0500 
Subject: [Snort-users] Snort with DHCP

This message is in MIME format. Since your mail reader does not
understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C310D1.8113E5C0
Content-Type: text/plain;
        charset="ISO-8859-1"

Hi everyone,
First of all, I thank one and all for all your help to me through your
responses. 
 
I am running snort-1.9.1 on RedHat 8.0 . I am running snort on my
workstation as a personal
intrusion desktop system. I only bother about the traffic through my
system. 
So in my "snort.conf" file, I edited the below line
"var HOME_NET 10.1.2.30/24" to
"var HOME_NET my-IP-address"
 
It works fine. But now I am not using a static IP. I am using DHCP for
this, so the IP keeps changing always.
So how should I modify the snort.conf file , that always sets to the IP
address of my system.
 
I mean , instead of mentioning my IPADRESS in "var HOME_NET IPADDRESS" ,
is there any other to configure it,(say a variable or so) that sets the
HOME_NET to my IP Address whatever it is?
 
Please help me.
 
Thanks in adnace...
 
 
Pradeep
 

------_=_NextPart_001_01C310D1.8113E5C0
Content-Type: text/html;
        charset="ISO-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">


<META content="MSHTML 5.00.2314.1000" name=GENERATOR>
<STYLE>P.MsoNormal {
        FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in
0pt
}
LI.MsoNormal {
        FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in
0pt
}
DIV.MsoNormal {
        FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in
0pt
}
A:link {
        COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
        COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
        COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
        COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
        COLOR: windowtext; FONT-FAMILY: Arial
}
DIV.Section1 {
        page: Section1
}
</STYLE>
</HEAD>
<BODY lang=EN-US link=blue vLink=purple>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=900562617-02052003>Hi 
everyone,</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=900562617-02052003>First 
of all, I thank one and all for all your help to me through your
responses. 
</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN 
class=900562617-02052003></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=900562617-02052003>I am 
running snort-1.9.1 on RedHat 8.0 . I am running snort on my workstation
as a 
personal</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN 
class=900562617-02052003>intrusion desktop system. I only bother about
the 
traffic through my system. </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=900562617-02052003>So in 
my "snort.conf" file, I edited the below line</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=900562617-02052003>"var 
HOME_NET 10.1.2.30/24" to</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=900562617-02052003>"var 
HOME_NET my-IP-address"</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN 
class=900562617-02052003></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=900562617-02052003>It 
works fine. But now I am not using a static IP. I am using DHCP for
this, so the 
IP keeps changing always.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=900562617-02052003>So how 
should I modify the snort.conf file , that always sets to the IP address
of my 
system.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN 
class=900562617-02052003></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=900562617-02052003>I mean 
, instead of mentioning my IPADRESS in "var HOME_NET IPADDRESS" 
,</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=900562617-02052003>is 
there any other to configure it,(say a variable or so) that sets the
HOME_NET to 
my IP Address whatever it is?</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN 
class=900562617-02052003></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=900562617-02052003>Please 
help me.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN 
class=900562617-02052003></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=900562617-02052003>Thanks 
in adnace...</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN 
class=900562617-02052003></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN 
class=900562617-02052003></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN 
class=900562617-02052003>Pradeep</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN 
class=900562617-02052003></SPAN></FONT>&nbsp;</DIV></BODY></HTML>

------_=_NextPart_001_01C310D1.8113E5C0--


--__--__--

Message: 7
Date: Fri, 02 May 2003 12:53:30 -0500
From: David Alonso De La Vega Tapage <delavegad () bancoaliado com>
To: Snort-users () lists sourceforge net
Subject: [Snort-users] Archieving Snort Data - Best time

HI all ..   i would check some mails in the list about snort archieving 
methods ..  

In my case for auditing objetives. In your experience wath is teh best 
form ..  ?  other DB  with same structura of snort ..  and pass all data

..  or only backup for snort  files as .. alert, log or portscan ..

Thanx ..  and Cheers ..

David Alonso



--__--__--

Message: 8
Date: Fri, 02 May 2003 10:44:05 -0700
From: Terence Runge <terencerunge () sbcglobal net>
To:  gcunnin2 () bellsouth net
CC:  snort-users () lists sourceforge net
Subject: Re: [Snort-users] What NICs are people using?

Have you tried this on a Compaq DL380 with dual ports nics? I have this 
set up in multiple locations and have not experienced any driver 
conflicts. This is a RedHat 7.2 build with the Compaq drivers.

http://h18007.www1.hp.com/support/files/server/us/locate/86_1342.html

It looks like these have been upgraded as of April 23, 2003, so I can't 
directly tell you if they will work. The e100-2.1.29 drivers worked with

the following Intel network adapters:

82558       PRO/100+ Dual Port Server Adapter       714303-xxx, 
711269-xxx,  A28276-xxx
82550       PRO/100 S Dual Port Server Adapter      A56831-xxx

Following is some information from Compaq that might help.

-Terence

============
For the build to work properly it is important that the currently 
running kernel MATCH the version and configuration of the installed 
kernel source. If you have just recompiled your kernel, reboot the 
system and choose the correct kernel to boot.

1. Move the base driver tar file to the directory of your choice. For 
example, use: /home/username/e100 or /usr/local/src/e100.

2. Untar/unzip the archive by entering the following, where <x.x.x> is 
the version number for the driver tar:
     tar xfz e100-<x.x.x>.tar.gz

3. Change to the driver src directory by entering the following, where 
<x.x.x> is the version number for the driver tar:
     cd e100-<x.x.x>/src/   

4. Compile the driver module:
     make install

   The binary will be installed as one of the following:
     /lib/modules/<kernel_version>/kernel/drivers/net/e100.o
     /lib/modules/<kernel_version>/net/e100.o

   The install locations listed above are the default locations. They 
may  not be correct for certain Linux distributions. For more 
information, see the ldistrib.txt file included in the driver tar.

5. Install the module:
     insmod e100 <parameter>=<value>
 
6. Assign an IP address to the interface by entering the following, 
where <x> is the interface number:
     ifconfig eth<x> <IP_address>

7. Verify that the interface works. Enter the following, where 
<IP_address> is the IP address for another machine on the same subnet as

the interface that is being tested:
     ping <IP_address>

  Due to the ARP behavior on Linux, it is not possible to have one 
system on two IP networks in the same Ethernet broadcast domain 
(non-partitioned switch) behave as expected. All Ethernet interfaces 
will respond to IP traffic for any IP address assigned to the system. 
This results in unbalanced receive traffic.

  When this occurs, transmits and receives for a single conversation can

be split across different network interfaces. Additionally, the server 
might have up to twice as much transmit capacity as receive capacity, 
which can result in the receive side being overrun and dropping
receives.

  If you have multiple interfaces in a server, install them in different

switches or partition the switch into VLANs to prevent broadcast traffic

from going to the wrong interface. This does not apply when using a 
teaming solution, like ANS.
========

Gordon Cunningham wrote:

Situation:  RedHat (choice of version, 7.3+), snort, multiple segments

to

monitor (up to 4), barnyard, MySQL, Webmin, etc.  

RedHat says the use of multiple same-chipset Intel Pro100 NICs won't

work

due to a bug in the driver. I need to find a solution to support up to

sniffing promiscuous Ethernet ports - 2 dual-port NICs or single

4-port?


Q:  What brand/model of multiple NICs are you using to support sniffing

up

to 4 segments (5th separate NIC for management interface) on RedHat

systems?



Q:  Do the dual- or multi-port NICs work?

Q:  Should I move to another OS?


Didn't find much in the archives...  Thanks.


- Gordon

Loved this so much I ripped it:  "The software said it requires Windows

or better, so I installed Linux..."





--__--__--

Message: 9
Date: Fri, 2 May 2003 13:51:52 -0400 (EDT)
From: Erek Adams <erek () snort org>
To:
  "Sadanapalli, Pradeep Kumar (MED, TCS)"
<Pradeep.Sadanapalli () med ge com>
cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort with DHCP

On Fri, 2 May 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:

[...snip...]

I am running snort-1.9.1 on RedHat 8.0 . I am running snort on my
workstation as a personal
intrusion desktop system. I only bother about the traffic through my
system.


Upgrade to 2.0.  There's a couple of nasty bugs in 1.9.x including a
remote root possibility.

So in my "snort.conf" file, I edited the below line
"var HOME_NET 10.1.2.30/24" to
"var HOME_NET my-IP-address"

It works fine. But now I am not using a static IP. I am using DHCP for
this, so the IP keeps changing always.
So how should I modify the snort.conf file , that always sets to the

IP

address of my system.

I mean , instead of mentioning my IPADRESS in "var HOME_NET IPADDRESS"

is there any other to configure it,(say a variable or so) that sets

the

HOME_NET to my IP Address whatever it is?



If your listening interface is eth0 then define it like:

        var HOME_NET $eth0_ADDRESS

Right there in the snort.conf....

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


--__--__--

Message: 10
Reply-To: <gcunnin2 () bellsouth net>
From: "Gordon Cunningham" <gcunnin2 () bellsouth net>
To: "Terence Runge" <terencerunge () sbcglobal net>
Cc: <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] What NICs are people using?
Date: Fri, 2 May 2003 14:07:11 -0400

Thanks Terrence, we'll probably have to use Dell workstation-class
systems
due to cost factors.  I have used Intel dual-port cards in the past, but
not
under Linux.


- Gordon

"The software said it requires Windows 98 or better, so I installed
Linux..."

 -----Original Message-----
From:   Terence Runge [mailto:terencerunge () sbcglobal net]
Sent:   Friday, May 02, 2003 1:44 PM
To:     gcunnin2 () bellsouth net
Cc:     snort-users () lists sourceforge net
Subject:        Re: [Snort-users] What NICs are people using?

Have you tried this on a Compaq DL380 with dual ports nics? I have this
set up in multiple locations and have not experienced any driver
conflicts. This is a RedHat 7.2 build with the Compaq drivers.

http://h18007.www1.hp.com/support/files/server/us/locate/86_1342.html

It looks like these have been upgraded as of April 23, 2003, so I can't
directly tell you if they will work. The e100-2.1.29 drivers worked with
the following Intel network adapters:

82558       PRO/100+ Dual Port Server Adapter       714303-xxx,
711269-xxx,  A28276-xxx
82550       PRO/100 S Dual Port Server Adapter      A56831-xxx

Following is some information from Compaq that might help.

-Terence

============
For the build to work properly it is important that the currently
running kernel MATCH the version and configuration of the installed
kernel source. If you have just recompiled your kernel, reboot the
system and choose the correct kernel to boot.

1. Move the base driver tar file to the directory of your choice. For
example, use: /home/username/e100 or /usr/local/src/e100.

2. Untar/unzip the archive by entering the following, where <x.x.x> is
the version number for the driver tar:
     tar xfz e100-<x.x.x>.tar.gz

3. Change to the driver src directory by entering the following, where
<x.x.x> is the version number for the driver tar:
     cd e100-<x.x.x>/src/

4. Compile the driver module:
     make install

   The binary will be installed as one of the following:
     /lib/modules/<kernel_version>/kernel/drivers/net/e100.o
     /lib/modules/<kernel_version>/net/e100.o

   The install locations listed above are the default locations. They
may  not be correct for certain Linux distributions. For more
information, see the ldistrib.txt file included in the driver tar.

5. Install the module:
     insmod e100 <parameter>=<value>

6. Assign an IP address to the interface by entering the following,
where <x> is the interface number:
     ifconfig eth<x> <IP_address>

7. Verify that the interface works. Enter the following, where
<IP_address> is the IP address for another machine on the same subnet as
the interface that is being tested:
     ping <IP_address>

  Due to the ARP behavior on Linux, it is not possible to have one
system on two IP networks in the same Ethernet broadcast domain
(non-partitioned switch) behave as expected. All Ethernet interfaces
will respond to IP traffic for any IP address assigned to the system.
This results in unbalanced receive traffic.

  When this occurs, transmits and receives for a single conversation can
be split across different network interfaces. Additionally, the server
might have up to twice as much transmit capacity as receive capacity,
which can result in the receive side being overrun and dropping
receives.

  If you have multiple interfaces in a server, install them in different
switches or partition the switch into VLANs to prevent broadcast traffic
from going to the wrong interface. This does not apply when using a
teaming solution, like ANS.
========

Gordon Cunningham wrote:

Situation:  RedHat (choice of version, 7.3+), snort, multiple segments

to

monitor (up to 4), barnyard, MySQL, Webmin, etc.

RedHat says the use of multiple same-chipset Intel Pro100 NICs won't

work

due to a bug in the driver. I need to find a solution to support up to

sniffing promiscuous Ethernet ports - 2 dual-port NICs or single

4-port?


Q:  What brand/model of multiple NICs are you using to support sniffing

up

to 4 segments (5th separate NIC for management interface) on RedHat

systems?



Q:  Do the dual- or multi-port NICs work?

Q:  Should I move to another OS?


Didn't find much in the archives...  Thanks.


- Gordon

Loved this so much I ripped it:  "The software said it requires Windows

or better, so I installed Linux..."






--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Portscan2 woes Robin Brown (May 02)
- Re: Portscan2 woes Matt Kettler (May 02)
  - Re: Portscan2 woes Erek Adams (May 02)
- <Possible follow-ups>
- FW: Portscan2 woes Gavin Lowe (May 02)
- FW: Portscan2 woes Robin Brown (May 02)