Snort mailing list archives
session monitoring question
From: Eddie Corns <E.Corns () ed ac uk>
Date: Thu, 2 Aug 2007 19:32:41 +0100 (BST)
Hi all, I've started looking at Snort. The first thing I decided to try and do was using it to monitor traffic inbound to particular host(s). That is I want to log all traffic on sessions that were initiated by an external host and completely ignore all traffic for sessions initiated by the monitored host(s). However I think I need some help to get started. So far I've created a config file where I've commented out everything except flow, frag3 and stream5 and added an include to my.rules. ie var HOME_NET 129.215.200.0/24 var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /home/eddie/snort/rules dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/ dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no preprocessor stream5_tcp: policy first, use_static_footprint_sizes, \ ports client all, timeout 86400 include $RULE_PATH/my.rules In my.rules I've experimented a little but I'm not sure what to do. My first attempt was: log IP any any -> <target> any (flow:from_client,only_stream;sid:9999;) this didn't do anything at all. Removing only_stream showed that it was at least doing something but not presumably what I want. Am I even going in the right direction? I had hoped the stream_only option was a simple way of waiting until the end (though I realise this may not be the best idea in the long run). Do I need some multistage set of rules with flowbits or some such? Any hints appreciated. Cheers, Eddie ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- session monitoring question Eddie Corns (Aug 02)
- Re: session monitoring question Nigel Houghton (Aug 02)
- Re: session monitoring question Eddie Corns (Aug 02)
- Re: session monitoring question John Pritchard (Aug 02)
- Re: session monitoring question Nigel Houghton (Aug 02)