Snort mailing list archives
RE: Help with a config file please?
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Fri, 4 Apr 2003 17:40:13 -0500
I guess I need to better understand the net config to which your interfaceless NIC is attached and the net config where the ACID console is attached. Are you switched? Have you used a tap? How exactly is it that Snort can see all of the traffic? Your snort.conf specifies two net blocks as your HOME_NET (var HOME_NET [1.2.3.190/28,5.6.7.0/24]). Which net block is Snort listening on? Which net block contains the other IP devices you're trying to watch? You also stated "I am now able to see portscans going to the IP address of the snort device", but you also said that the second NIC in the Snort device is interface-less. So what other details can you give us? It sounds like something in the net config is not matching up. - Christopher P.S. As a FYI, Snort understands BFP filters in the same way that WinDump does. -----Original Message----- From: snort () xiata com [mailto:snort () xiata com] Sent: Friday, April 04, 2003 5:26 PM To: L. Christopher Luther Cc: 'snort () xiata com'; Snort-Users (E-mail) Subject: RE: [Snort-users] Help with a config file please? Christopher, Ok I changed the conf to only send the log data to mysql - I am trying to stick to the config that silicondefense.com puts out on http://www.silicondefense.com/support/windows/winsnortdocs/WinSnortIIS.pdf After re-reading that doc I also made a couple of other changes but so far no luck on detecting all the nmap stuff that I am sending. I am now able to see portscans going to the IP address of the snort device but still nothing comes up when I sweep on the other IPs that I need to monitor. When I run snort -v -i2 I see all the traffic going through that system (there is a lot of traffic so I can't simply see the portscan taking place). When I use windump and I narrow down the scope of it to only packets w/ a source of the machine that I am using to run nmap I am able to see those packets then so I know that the stuff is in fact getting to the snort device. I took a look @ the mysql and there is data there from the portscan that I sent to the ip address of the snort so at least the logging part is talking place in one way shape or form. For what is worth I have 2 nics on this system one to access the ACID console that only has TCP/IP bound & its firewalled (MS) and the second to run the monitor and that one has no bindings whatsoever. Any ideas at to where I screwed up this config a really welcomed. Carlos
Either send Snort log data to MySQL or alert data to MySQL but not both [0]. Q: Have you run Snort in its sniffer mode (e.g., snort -i1 -v) to see if the traffic from your scans and 'attacks' are even being seen by Snort? Q: Have you looked directly into the MySQL database to see if the Snort DB event table actually has any data in it? I'm not an ACID popper ;) so I cannot help you much w/ why ACID does not see any alerts, but from previous posts to this list, I can safely say that it's often best to rollback your config to something simpler, say alerting to a text file, while trying to diagnose Snort problems. - Christopher [0] - http://www.theadamsfamily.net/~erek/snort/logging_methods.txt
Current thread:
- Help with a config file please? snort (Apr 03)
- <Possible follow-ups>
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 08)