[Snort-users] Looking for dox on $EXTERNA, $INTERNAL, and $HOME_NET

Bruce Meyer pda at ...746...
Sat Nov 4 10:33:09 EST 2000


I am using the RPM version of snort on a RH6.2 machine. It is working fairly well. The machine has one NIC. I am not using NAT or a firewall where this machine is located.

I have 6 nets which are shown in the rules.base file below. I have no doubt that I have EXTERNAl and or INERNAL wrong, and need some serious help how to configure it as described. Please don't tell me about the virtues of NAT and firewalls, and two nics on on a private IP space and one oun the public IP space. You'll be preaching to the choir. (That's why I am scrambling to make snort work)

Also, will running portsentry on the snort machine, perhaps prevent snort from seeing certain attacks? 
I do have two nics in the machine, but thats for the future when I learn routing well enough to do NAT and firewalling trhough two nics. I'm not quite there yet.

my portscan log file grep (since about 2:30 pm yesterday until 10 am today) to over 6.5 MB, and is full of nothing except this stuff:

Nov 3 22:00:16 207.203.142.5:53 -> 216.77.134.119:1706 UDP
Nov 3 22:00:16 207.203.142.5:53 -> 216.77.134.119:1707 UDP 
Nov 3 22:00:16 207.203.142.5:53 -> 216.77.134.119:1708 UDP 
Nov 3 22:00:16 207.203.142.5:53 -> 216.77.134.119:1709 UDP 
Nov 3 22:00:16 207.203.142.5:53 -> 216.77.134.119:1711 UDP 
Nov 3 22:00:16 207.203.142.5:53 -> 216.77.134.119:1712 UDP 
Nov 3 22:00:16 207.203.142.5:53 -> 216.77.134.119:1713 UDP 
Nov 3 22:00:16 207.203.142.5:53 -> 216.77.134.119:1716 UDP 
Nov 3 22:00:16 207.203.142.5:53 -> 216.77.134.119:1717 UDP 
Nov 3 22:00:16 207.203.142.5:53 -> 216.77.134.119:1718 UDP 
Nov 3 22:00:16 207.203.142.5:53 -> 216.77.134.119:1720 UDP 
Nov 3 22:00:16 207.203.142.5:53 -> 216.77.134.119:1721 UDP 
Nov 3 22:00:20 207.203.142.5:53 -> 216.77.134.119:1723 UDP 
Nov 3 22:00:21 207.203.142.5:53 -> 216.77.134.119:1724 UDP 
Nov 3 22:00:21 207.203.142.5:53 -> 216.77.134.119:1725 UDP 

I noticed that when I restart snort, the portscan.log file is apparently deleted and recreated.

Below is my rules.base file.

I tried both ways of setting the dns server variables 9see below) DNSSERVERS ,a dn DNS1, DNS2, both ways displayed, and this thing is running at 48% CPU nonstop.

My PORTSCAN.LOG file is chock full of DNS activity. (and nothing else)

# rules.base config begins 

# Taken and modified from "vision.conf", part of Max Vision's
# ArachNIDs work. See /usr/doc/snort-stuff/README.snort-stuff for more
# information on how to use this file.
# COmment by BRUCE
# Actually the file is not in THAT location AND is devoid of anything about
# ETERNAL, INTERNAL, what they mean, or how to use them.

var INTERNAL 216.77.134.77/24
var EXTERNAL 208.60.126.128/25



# I tried Both methods, and they each seem to work

#var DNSSERVERS 207.203.142.5/32 207.203.142.13/32
var DNS1 207.203.142.5/32
var DNS2 207.203.142.13/32
preprocessor http_decode: 80 443 8080
preprocessor minfrag: 128
preprocessor portscan: $EXTERNAL 3 5 /var/log/snort/portscan.log
# preprocessor portscan-ignorehosts: $DNSSERVERS
preprocessor portscan-ignorehosts: $DNS1 $DNS2
# No matter how I set up DNS, it fills up my portscan.log files fast.
# (and only one DNS server seem to appear in it)



include /usr/local/etc/snort/vision.rules
include /usr/local/etc/snort/10102k.rules


# Now what, do I add the two rule files, or also the preprocessor stuff to each net?

# If you wish to monitor multiple INTERNAL networks, you can include
# another variable that defines the additional network, then include
# the snort ruleset again. Uncomment the two following lines.

var INTERNAL 207.203.142.0/24
include /usr/local/etc/snort/vision.rules
include /usr/local/etc/snort/10102k.rules

var INTERNAL 209.149.176.0/24
include /usr/local/etc/snort/vision.rules
include /usr/local/etc/snort/10102k.rules

var INTERNAL 208.60.126.128/25
include /usr/local/etc/snort/vision.rules
include /usr/local/etc/snort/10102k.rules

var INTERNAL 205.152.63.65/29
include /usr/local/etc/snort/vision.rules
include /usr/local/etc/snort/10102k.rules

var INTERNAL 209.215.119.128/27
include /usr/local/etc/snort/vision.rules
include /usr/local/etc/snort/10102k.rules

# include other rules here if you wish.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001104/510b545b/attachment.html>


More information about the Snort-users mailing list