Snort mailing list archives

Previous By Date Next
Previous By Thread Next

session monitoring question

From: Eddie Corns <E.Corns () ed ac uk>
Date: Thu, 2 Aug 2007 19:32:41 +0100 (BST)

Hi all,
I've started looking at Snort.  The first thing I decided to try and do was
using it to monitor traffic inbound to particular host(s).  That is I want to
log all traffic on sessions that were initiated by an external host and
completely ignore all traffic for sessions initiated by the monitored
host(s).  However I think I need some help to get started.

So far I've created a config file where I've commented out everything except
flow, frag3 and stream5 and added an include to my.rules.  ie
var HOME_NET 129.215.200.0/24
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS 
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /home/eddie/snort/rules
dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/
dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
                             track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes, \
   ports client all, timeout 86400
include $RULE_PATH/my.rules

In my.rules I've experimented a little but I'm not sure what to do.  My first
attempt was:

  log IP any any -> <target> any (flow:from_client,only_stream;sid:9999;)

this didn't do anything at all.  Removing only_stream showed that it was at
least doing something but not presumably what I want.

Am I even going in the right direction?  I had hoped the stream_only option
was a simple way of waiting until the end (though I realise this may not be
the best idea in the long run).  Do I need some multistage set of rules with
flowbits or some such?  Any hints appreciated.

Cheers,
Eddie

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: