[Snort-sigs] quick question about Snort + ACID on FreeBSD
delusi0n at ...799...
Mon Sep 1 22:10:03 EDT 2003
Hi, I just set up SNORT on my network, i have it logging to a MySQL database, and i got ACID so that i can view the alerts easily. One problem i am having is that it logs traffic from my network, which i dont want. How can i turn this off? Acid has like 500+ alerts already from one of my windows boxes saying this..
[snort] SCAN UPNP service discover attempt 2003-08-31 19:27:15 192.168.0.91:1040 192.168.0.1:1900 UDP
And their all the same from the same ip, and same type of sig.
Another thing is, i dont think its been properly setup or something, because its not logging much.. Its been running for the past 4 days, I've been connected all the time, and it only logged the local traffic, and some ICMP traffic. I got 0% TCP, 93% UDP, and 7% ICMP. Theres only like 30 ICMP alerts, and they seem pretty harmless. I am expecting alot more alerts to come in, since im always-on.
Heres a snippet form my snort.conf
var HOME_NET 192.168.0.0/24
var EXTERNAL_NET !$HOME_NET
[...] Everything else was untouched except this output string for SQL
output database: log, mysql, user=root password=**** dbname=snort host=localhost
I also am runnign IPFW, this is a FreeBSD machine. heres the rules i use..
$fwcmd add divert natd all from any to any via tun0
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow ip from any to any via dc0
$fwcmd add allow tcp from any to any out xmit tun0 setup
$fwcmd add allow tcp from any to any via tun0 established
$fwcmd add reset log tcp from any to any 113 in recv tun0
$fwcmd add deny log ip tcp from any to any 80 setup
$fwcmd add deny log ip tcp from any to any 22 setup
$fwcmd add allow tcp from 192.168.0.0/24 to 192.168.0.1 80 setup
$fwcmd add allow tcp from 192.168.0.0/24 to 192.168.0.1 22 setup
$fwcmd add allow udp from any to 22.214.171.124 53 out xmit tun0
$fwcmd add allow udp from 126.96.36.199 53 to any in recv tun0
$fwcmd add 65435 allow icmp from any to any
$fwcmd add 65435 deny log ip from any to any
dc0 is my NIC, and tun0 is my external interface. These rules are set so that ports 22 and 80 are denied to the outside, but are allowed to the inside. And it allows local hosts to query the DNS and to receive replies, and it denies everything else and logs it. When i check the ipfw logs, i get tons of deny's for port 135 and 137 etc.. blaster traffic. But ACID doesnt show anything like that. Even if my snort doesnt have a rule set for the RPC exploit, then it should still show some of the other kiddie traffic.
If you know what i am doing wrong let me know please! Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs