Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Inline logging?

From: mdpeters <michael.peters () lazarusalliance com>
Date: Mon, 17 Jan 2005 14:47:50 -0500
I have finally gotten Snort-Inline to pass traffic through a transparent bridge on Fedora Core 2, kernel vmlinuz-2.6.10-1.9_FC2smp.
I am running a nessus scan from one side of the bridge to another host on the other side of the bridge. I have these rules that I think should log everything passing through:
alert tcp $IPS_INGRESS any <> $EXTERNAL_NET any (msg: "test tcp inbound connections";) alert udp $IPS_INGRESS any <> $EXTERNAL_NET any (msg: "test udp inbound connections";) alert icmp $IPS_INGRESS any <> $EXTERNAL_NET any (msg: "test icmp inbound connections";) 
#
alert tcp $IPS_EGRESS any <> $EXTERNAL_NET any (msg: "test tcp outbound connections";) alert udp $IPS_EGRESS any <> $EXTERNAL_NET any (msg: "test udp outbound connections";) alert icmp $IPS_EGRESS any <> $EXTERNAL_NET any (msg: "test icmp outbound connections";) 

var IPS_INGRESS 67.14.155.128/27
var IPS_EGRESS 67.14.155.128/27
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
config checksum_mode: none
var RULE_PATH /opt/snort-inline/rules/ips
config layer2resets: 00:04:23:AD:ED:BA
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts,iptablesnewmark,iptablesestmark,forceiptstate 
preprocessor stream4_reassemble: both
# preprocessor clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav 
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
output alert_full: snort-inline-full
output alert_fast: snort-inline-fast
output alert_syslog: LOG_AUTH LOG_ALERT
output database: alert, mysql, user=username password=password dbname=snort host=localhost sensor_name=IPS 
output log_tcpdump: tcpdump.log
include ips-classification.config
include ips-reference.config
include $RULE_PATH/ips.rules

I have regular Snort logging just fine. Does anyone have any ideas?

--

Best regards,

Michael



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: