Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-Users] Re: Some questions about strem5 preprocessor

From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Mon, 3 Oct 2011 00:17:29 -0400
Ports listed in client tell stream5 to do stream reassembly for
traffic going from the client to the server.  Both means do it in
either direction.

In the example below, most attacks for ssh are against servers, so
inspecting the traffic from clients to servers and doing reassembly is
desired.  For http attacks they can go either direction.

For b) that configuration looks fine.

The example from the snort manual is similar. You may wish to add a
"default" line, the last line below, in case your sensor sees traffic
not defined in the two bind_to lines.
preprocessor stream5_tcp: bind_to 192.168.1.0/24, policy windows
preprocessor stream5_tcp: bind_to 10.1.1.0/24, policy linux
preprocessor stream5_tcp: policy solaris

Cheers,
-matt

On Fri, Sep 30, 2011 at 4:34 PM, carlopmart <carlopmart () gmail com> wrote:

On 09/30/2011 12:57 PM, carlopmart wrote:


Hi all,

I have setup one snort 2.9.1 sensor using multipleconfigs option. After
some time of configuration I have two questions:

a) What is the reason for put some (and differents) tcp ports using
"ports client" option and anothers under "ports both" option? For
example: seeing snort.conf's file released with official snort rules
(snortrules-snapshot-2910.tar.gz), port ssh is configured under "ports
client" option and port http under "ports both". Why?? How can I
determine when certain tcp port needs to be configured under "ports
client" or "ports both" or "ports server"?

b) using multipleconfigs option, is this configuration ok??

- global config: preprocessor stream5_tcp: policy solaris
- specific config for net a.a.a.a/24: preprocessor stream5_tcp: bind_to
192.168.1.0/24, policy windows
- specific config for net b.b.b.b/24: preprocessor stream5_tcp: bind_to
10.1.1.0/24, policy linux

Many thanks.



Please, any help?

--
CL Martinez
carlopmart {at} gmail {d0t} com

--
To post to this group, send email to snortusers () googlegroups com


Please visit http://blog.snort.org for the latest news about Snort!





-- 
Matthew Watchinski
V.P. Vulnerability Research (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-blog.snort.org && http://www.snort.org/vrt/

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: