Snort mailing list archives
snort not catching all hosts
From: "Koski, Brian" <bkoski () citrusheights net>
Date: Wed, 14 Jul 2004 09:05:15 -0700
Problem: Snort does not capture events to one of my servers, both in HOME_NET and also added as variables in DMZ_SERVERS; it used to log events to target 172.16.3.14; however I see attemps in the URL logs and recently had a hack attempt I just happened to notice via other means (snort was silent on this). Any ideas? Do I need some custom rules? I am currently running Snort 2.1.3 on XP (started with Snort 2.0.1). I am capturing traffic that gets past firewall to the DMZ hosts, which are defined in config: var HOME_NET [172.16.3.0/24] var EXTERNAL_NET !$HOME_NET var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS [172.16.3.13,172.16.3.14] var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24, 64.12.161.0/24,64.12.163.0/24,20 5.188.5.0/24,205.188.9.0/24] var DMZ_SERVERS [172.16.3.10,172.16.3.13,172.16.3.14] var RULE_PATH ../rules --- Some history - snort had stopped logging altogther a while back until I upgraded to 2.1.1, but I notice since then I only get alerts to 172.16.3.13 and no longer for host.14. BTW, I got the interface off the Cisco switch a while ago because there were 'issues'. City of Citrus Heights This e-mail message contains information belonging to the City of Citrus Heights, which may be privileged, confidential and/or protected from disclosure. The information is intended only for use of the individual or entity named. Unauthorized dissemination, distribution, or copying is strictly prohibited. If you received this email in error, or are not an intended recipient, please notify the sender immediately. Thank you for your cooperation. ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort not catching all hosts Koski, Brian (Jul 14)