RE: Help with a config file please?

["L. Christopher Luther" <CLuther () Xybernaut com>]

I guess I need to better understand the net config to which your
interfaceless NIC is attached and the net config where the ACID console is
attached.  Are you switched?  Have you used a tap?  How exactly is it that
Snort can see all of the traffic?  

Your snort.conf specifies two net blocks as your HOME_NET (var HOME_NET
[1.2.3.190/28,5.6.7.0/24]).  Which net block is Snort listening on?  Which
net block contains the other IP devices you're trying to watch?  

You also stated "I am now able to see portscans going to the IP address of
the snort device", but you also said that the second NIC in the Snort device
is interface-less.  

So what other details can you give us?  It sounds like something in the net
config is not matching up.  


- Christopher 

P.S. As a FYI, Snort understands BFP filters in the same way that WinDump
does.  


-----Original Message-----
From: snort () xiata com [mailto:snort () xiata com]
Sent: Friday, April 04, 2003 5:26 PM
To: L. Christopher Luther
Cc: 'snort () xiata com'; Snort-Users (E-mail)
Subject: RE: [Snort-users] Help with a config file please?


Christopher,

Ok I changed the conf to only send the log data to mysql - I am trying to
stick to the config that silicondefense.com puts out on
http://www.silicondefense.com/support/windows/winsnortdocs/WinSnortIIS.pdf
After re-reading that doc I also made a couple of other changes but so far
no luck on detecting all the nmap stuff that I am sending. I am now able
to see portscans going to the IP address of the snort device but still
nothing comes up when I sweep on the other IPs that I need to monitor.
When I run snort -v -i2 I see all the traffic going through that system
(there is a lot of traffic so I can't simply see the portscan taking
place). When I use windump and I narrow down the scope of it to only
packets w/ a source of the machine that I am using to run nmap I am able
to see those packets then so I know that the stuff is in fact getting to
the snort device.
I took a look @ the mysql and there is data there from the portscan that I
sent to the ip address of the snort so at least the logging part is
talking place in one way shape or form.

For what is worth I have 2 nics on this system one to access the ACID
console that only has TCP/IP bound & its firewalled (MS) and the second to
run the monitor and that one has no bindings whatsoever.
Any ideas at to where I screwed up this config a really welcomed.

Carlos


> Either send Snort log data to MySQL or alert data to MySQL but not both
> [0].
>
>
> Q: Have you run Snort in its sniffer mode (e.g., snort -i1 -v) to see if
> the
> traffic from your scans and 'attacks' are even being seen by Snort?
>
> Q: Have you looked directly into the MySQL database to see if the Snort DB
> event table actually has any data in it?
>
> I'm not an ACID popper ;) so I cannot help you much w/ why ACID does not
> see
> any alerts, but from previous posts to this list, I can safely say that
> it's
> often best to rollback your config to something simpler, say alerting to a
> text file, while trying to diagnose Snort problems.
>
> - Christopher
>
> [0] - http://www.theadamsfamily.net/~erek/snort/logging_methods.txt