Snort mailing list archives

RE: (no subject)

From: "Kaplan, Andrew H." <AHKAPLAN () PARTNERS ORG>
Date: Wed, 5 Nov 2003 08:29:37 -0500

J.

Thanks for your reply. As to the policy-based.rules file, mine is based on the
template found in the
Snort 2.0 Intrusion Detection book. The approach it uses has the alert lines at
the beginning part of
the file, with the pass rules following. According to the book, it is
appropriate to have the alerts
first, with the pass rules second. However, I will try your approach, and place
the pass rules before
the alerts and see where that gets me.

The server in question is "outside" the firewall such that traffic going to its
port, 80, goes through
a "hole" in the wall. There are switches interposed between the server and the
router. I can contact our
network security team to get more information. 

In response to your inquiry, I am using the book that I mentioned earlier.
However, I am also planning on
purchasing an additional book. My experience with this one has been mixed. I
have tried to use it as much
as possible, but I have already contacted the publisher about one mistake that I
discovered. If the rules 
file approach you suggested does work, I shall be contacting the publisher
again. I am hoping to get ano-
ther book and be able to RTFM.

Thanks again for you suggestions, and I will keep you up to date.



-----Original Message-----
From: J. [mailto:jeruvy () shaw ca]
Sent: Tuesday, November 04, 2003 9:24 AM
To: Kaplan, Andrew H.
Subject: RE: [Snort-users] (no subject)


Are you sure your rule order is the way you want it?

Most pass rules by default are looked at last, hence you would be seeing
this behaviour.

As for not seeing alerts from the internet, I'd say good great, but I
realize you may want to look at this traffic....so what hardware are you
using for your WAN access?

(I also hate to say this, but have you actually read the documentation?
These issues have been discussed and hashed so many times over the years I
am so bored with discussing them.  As well there are some great books on the
subject...)

Note hubs work, switches don't for a rule of thumb.  There are other
solutions but RTFM.

J.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Kaplan,
Andrew H.
Sent: Tuesday, November 04, 2003 6:10 AM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] (no subject)

When writing the policy-based.rules file I had as my first lines
several lines
that read as follows:

alert ip any any -> [any,10.10.0.0/24] any
alert tcp any any -> [any,10.10.0.0/24] any
alert udp any any -> [any,10.10.0.0/24] any

While these lines were uncommented, I would get an enormous
amount of alerts
from the 10.10.0.0 subnet even though subsequent pass rules told
snort to let
pass any and all ip, tcp, and udp traffic on any port. Once I
commented out the
lines, the alerts dropped down to 0.

Do I need any alert rules at the beginning of the
policy-based.rules file to
specify what subnets, in this case any subnet excluding the
10.10.0.0 subnet,
snort should alert me on? If so, what is the correct syntax?

I did include the -o option in the command syntax. FYI syntax as follows:
      /usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -o

The location of the policy-based.rules file is /etc/snort

Also, I do not seem to be getting any alerts from traffic coming
in from the
Internet. Is that normal?

-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) Kristian Schling (Oct 08)
- Re: (no subject) Ralf Spenneberg (Oct 09)
- <Possible follow-ups>
- (no subject) Dave . Hartley (Oct 15)
- (no subject) Cluett, Russell (Oct 22)
- (no subject) Bob Apthorpe (Oct 28)
- (no subject) Kaplan, Andrew H. (Nov 04)
  - Re: (no subject) Olaf Schreck (Nov 04)
- RE: (no subject) Kaplan, Andrew H. (Nov 05)
- RE: (no subject) Kaplan, Andrew H. (Nov 05)
- (no subject) CGhercoias (Dec 01)
  - Message not available
    - Re: (no subject) Matt Kettler (Dec 01)
  - Re: (no subject) Jim Brown (Dec 01)
- (no subject) wfz (Dec 05)
- (no subject) Andrew Sergeyev (Dec 12)
- (no subject) Russell Fulton (Dec 12)
- (no subject) JP Vossen (Dec 19)
- (no subject) Kumar, Manoj (Dec 22)