Snort mailing list archives
Snort on an OpenBSD firewall
From: Sean Brown <sblinux () shaw ca>
Date: Mon, 28 Jun 2004 13:29:55 -0600
I'm new to snort, and trying to get it running on my OpenBSD 3.5 firewall, but
its just not working right. If i read the documentation right, i should be
able to have snort listen on pflog0 and just cpture and watch the traffic
thats regected by my firewall, which is handy because snort isn't then
logging all the arp traffic that shows up on the line.
When I launch snort with
/usr/local/bin/snort -c /etc/snort/snort.conf -i pflog0 -d
Nothing happenes and after ctrl-d i get this:
Snort analyzed 212 out of 212 packets, dropping 0(0.000%) packets
Breakdown by protocol: Action Stats:
TCP: 0 (0.000%) ALERTS: 0
UDP: 0 (0.000%) LOGGED: 0
ICMP: 0 (0.000%) PASSED: 0
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 212 (100.000%)
DISCARD: 0 (0.000%)
But if I call it on my external interface I get a lot more:
Snort analyzed 275 out of 275 packets, dropping 0(0.000%) packets
Breakdown by protocol: Action Stats:
TCP: 198 (72.000%) ALERTS: 198
UDP: 1 (0.364%) LOGGED: 198
ICMP: 0 (0.000%) PASSED: 0
ARP: 74 (26.909%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
Now even to get that i had to add a TCP catchall which just fills the database
with noise, but thats another problem, it wouldn't even register a port
scan.. Why when I listen on pflog0 does it classify everything as 'Other' and
just ignore it all. I can sit with TCP dump and watch it all on pflog0
Any help is appreciated
-Sean Brown
#Snort Config file
var HOME_NET 192.168.1.0/26
var EXTERNAL_NET any
var DNS_SERVERS [192.168.1.2,192.168.1.4]
var SQL_SERVERS 192.168.1.2
var TELNET_SERVERS 192.168.1.10
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12
var HTTP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SNMP_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var RULE_PATH ./rules
config detection: search-method lowmem
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
#preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
# OUTPUT DATABASE
output database: log,mysql,dbname=snort user=snorter host=192.168.1.2
port=3306 sensor_name=SPARTA_FW_01
#
# Include classification & priority settings
#
include $RULE_PATH/classification.config
#
# Include reference systems
#
include $RULE_PATH/reference.config
# RULES
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/misc.rules
include /home/sean/test.rules
test rules just has this:
alert tcp any any -> any any (msg:"TCP traffic";)
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on an OpenBSD firewall Sean Brown (Jun 28)
- Re: Snort on an OpenBSD firewall Dragos Ruiu (Jun 28)
- Re: Snort on an OpenBSD firewall Sean Brown (Jun 28)
- Re: Snort on an OpenBSD firewall Matt Kettler (Jun 28)
- Re: Snort on an OpenBSD firewall Sean Brown (Jun 28)
- Re: Snort on an OpenBSD firewall Dragos Ruiu (Jun 28)