Snort mailing list archives

Some Snort beginner questions

From: Jim Garrison <jhg () jhmg net>
Date: Fri, 31 Oct 2014 14:36:15 -0700

I have a Centos 6.5 web server configured with a very restrictive
iptables setup (8 incoming tcp ports open, 0 udp).  I'm a fairly
experienced Linux admin but haven't looked at Snort in at least 7 or 8
years (wow, has it changed since then!), since I use iptables to
present a tiny attack surface to the Internet.  However, installing
PHP/Wordpress has prompted me to add Snort to my toolkit.

I recently built and installed Snort from source and have been testing
it with the command line:

snort --enable-inline-test -c /etc/snort/snort.conf -b -A fast

I have three questions:

1) I am getting very few alerts, which I expected due to the small
   exposed surface, but find that the alerts that do get logged are on
   ports that are not open in iptables.  I therefore guess that Snort
   is seeing the packets either before or at the same time as
   (independent of) iptables.  Is this correct?

2) Is there a way to set things up so Snort sees only packets that are
   not blocked by iptables?  I don't want to replace iptables with
   Snort. I'd rather use iptables as a perimeter defense and Snort
   to scan traffic for application layer exploits.

3) A couple of alerts I am seeing occasionally are:

      10/31-19:49:40.592851  [**] [1:31136:1]
      MALWARE-CNC Win.Trojan.ZeroAccess inbound communication [**]
      [Classification: A Network Trojan was Detected]
      [Priority: 1] {UDP} 93.120.27.62:40000 -> ob.fus.cated.ip:16464

      10/31-19:49:40.592851  [**] [1:23493:5]
      MALWARE-CNC Win.Trojan.ZeroAccess outbound communication [**]
      [Classification: A Network Trojan was Detected]
      [Priority: 1] {UDP} 93.120.27.62:40000 -> ob.fus.cated.ip:16464

   The arrow points from the foreign IP to my IP in both cases, but
   one says "inbound" and one says "outbound", which seems to
   conflict.  When I examine the binary log file in Wireshark both
   packets are shown as incoming, supporting the arrow and indicating
   the "outbound" designation may be incorrect, or I don't understand
   how the word "outbound" is being used here.  Is this a bug?

-- 
Jim Garrison (jhg () acm org)
PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Some Snort beginner questions Jim Garrison (Oct 31)
- Re: Some Snort beginner questions Joel Esler (jesler) (Oct 31)
  - Re: Some Snort beginner questions James Lay (Oct 31)
    - Re: Some Snort beginner questions Jim Garrison (Nov 05)
    - Re: Some Snort beginner questions Sec_Aficionado (Nov 05)
    - Re: Some Snort beginner questions James Lay (Nov 05)
- Re: Some Snort beginner questions waldo kitty (Nov 01)