Snort mailing list archives

Previous By Date Next
Previous By Thread Next

I don't get it

From: Stefan Schleifer <stefan.schleifer () linbit com>
Date: Fri, 22 Aug 2003 10:45:56 +0200

hi,
we have been using snort-mysql 1.9 for quite a while and now updated to 2.0. (2.0.0-3.2.mf.1 debian packages) one sensor is in front of a linux firewall, a second one behind. Both interfaces are in promisc mode, snort is running with "-i any" (we changed from running 2 snort instances to "-i any" as well)
the problem is, that snort is hardly alerting anything. (other than portscans) although i see tons of entries in the firewall for tcp ports 135 and 445 and added the rules for lovesan and co. even a nessus test didn't show up at all. 

i just don't get it. any help is very appreciated.

thx,
stefan.


snort.conf:
var HOME_NET  [Subnets]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80 443
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0 
/24,205.188.5.0/24,205.188.9.0/24]
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace 
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: [hosts]
(yes i tried portscan2 as well)
....
several rules-files included....


snort sees the traffic:...

kill -USR1
snort: Snort analyzed 68370 out of 68370 packets,
snort: dropping 0(0.000%) packets
snort: Breakdown by protocol:                Action Stats:
snort:     TCP: 61938      (90.592%)         ALERTS: 0
snort:     UDP: 4517       (6.607%)          LOGGED: 0
snort:    ICMP: 1586       (2.320%)          PASSED: 0
snort:     ARP: 329        (0.481%)
snort:   EAPOL: 0          (0.000%)
snort:    IPv6: 0          (0.000%)
snort:     IPX: 0          (0.000%)
snort:   OTHER: 0          (0.000%)
snort: DISCARD: 0          (0.000%)





--

: Stefan Schleifer                                Tel +43-1-8178292-54 :
: LINBIT Information Technologies GmbH            Fax +43-1-8178292-82 :
: Schoenbrunner Str. 244, A-1120 Vienna/Europe   http://www.linbit.com :




-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: