Re: Snort on an OpenBSD firewall

[Sean Brown <sblinux () shaw ca>]

On June 28, 2004 04:56 pm, Dragos Ruiu wrote:
> Is pf running?
Yes it is, quite well, and I can see traffic on pflog0 with tcpdump and snort 
-v -i pflog0 sees the information, but says its "other" instead of what it 
is, tcp, udp etc.

> cheers,
> --dr
>
> On June 28, 2004 12:29 pm, Sean Brown wrote:
> > I'm new to snort, and trying to get it running on my OpenBSD 3.5
> > firewall, but its just not working right. If i read the documentation
> > right, i should be able to have snort listen on pflog0 and just cpture
> > and watch the traffic thats regected by my firewall, which is handy
> > because snort isn't then logging all the arp traffic that shows up on the
> > line.
> >
> > When I launch snort with
> > /usr/local/bin/snort -c /etc/snort/snort.conf -i pflog0 -d
> > Nothing happenes and after ctrl-d i get this:
> >
> >     Snort analyzed 212 out of 212 packets, dropping 0(0.000%) packets
> >
> >     Breakdown by protocol:                Action Stats:
> >        TCP: 0          (0.000%)          ALERTS: 0
> >         UDP: 0          (0.000%)          LOGGED: 0
> >        ICMP: 0          (0.000%)          PASSED: 0
> >         ARP: 0          (0.000%)
> >       EAPOL: 0          (0.000%)
> >        IPv6: 0          (0.000%)
> >         IPX: 0          (0.000%)
> >       OTHER: 212        (100.000%)
> >     DISCARD: 0          (0.000%)
> >
> > But if I call it on my external interface I get a lot more:
> >
> >     Snort analyzed 275 out of 275 packets, dropping 0(0.000%) packets
> >
> >     Breakdown by protocol:                Action Stats:
> >         TCP: 198        (72.000%)         ALERTS: 198
> >         UDP: 1          (0.364%)          LOGGED: 198
> >        ICMP: 0          (0.000%)          PASSED: 0
> >         ARP: 74         (26.909%)
> >       EAPOL: 0          (0.000%)
> >        IPv6: 0          (0.000%)
> >         IPX: 0          (0.000%)
> >       OTHER: 0          (0.000%)
> >     DISCARD: 0          (0.000%)
> >
> > Now even to get that i had to add a TCP catchall which just fills the
> > database with noise, but thats another problem, it wouldn't even register
> > a port scan.. Why when I listen on pflog0 does it classify everything as
> > 'Other' and just ignore it all. I can sit with TCP dump and watch it all
> > on pflog0
> >
> > Any help is appreciated
> > -Sean Brown
> >
> > #Snort Config file
> > var HOME_NET 192.168.1.0/26
> >
> > var EXTERNAL_NET any
> >
> > var DNS_SERVERS [192.168.1.2,192.168.1.4]
> >
> > var SQL_SERVERS 192.168.1.2
> >
> > var TELNET_SERVERS 192.168.1.10
> >
> > var AIM_SERVERS
> > [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12
> >
> > var HTTP_SERVERS $HOME_NET
> > var HTTP_PORTS 80
> > var SNMP_SERVERS $HOME_NET
> > var SMTP_SERVERS $HOME_NET
> >
> > var RULE_PATH ./rules
> >
> > config detection: search-method lowmem
> >
> > preprocessor stream4: detect_scans, disable_evasion_alerts
> > preprocessor stream4_reassemble
> > #preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
> > iis_flip_slash full_whitespace
> >
> > # OUTPUT DATABASE
> >
> > output database: log,mysql,dbname=snort user=snorter host=192.168.1.2
> > port=3306 sensor_name=SPARTA_FW_01
> >
> > #
> > # Include classification & priority settings
> > #
> > include $RULE_PATH/classification.config
> >
> > #
> > # Include reference systems
> > #
> >
> > include $RULE_PATH/reference.config
> >
> > # RULES
> > include $RULE_PATH/bad-traffic.rules
> > include $RULE_PATH/scan.rules
> > include $RULE_PATH/finger.rules
> > include $RULE_PATH/telnet.rules
> > include $RULE_PATH/rservices.rules
> > include $RULE_PATH/dos.rules
> > include $RULE_PATH/ddos.rules
> > include $RULE_PATH/snmp.rules
> > include $RULE_PATH/exploit.rules
> > include $RULE_PATH/x11.rules
> > include $RULE_PATH/mysql.rules
> > include $RULE_PATH/misc.rules
> > include /home/sean/test.rules
> >
> > test rules just has this:
> > alert tcp any any -> any any (msg:"TCP traffic";)
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email sponsored by Black Hat Briefings & Training.
> > Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> > digital self defense, top technical experts, no vendor pitches,
> > unmatched networking opportunities. Visit www.blackhat.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users