[Snort-users] Snort not logging on FreeBSD

Martin Roesch roesch at ...421...
Mon Mar 26 20:35:35 EST 2001


I think you've misunderstood the purpose of the $INTERNAL and $EXTERNAL
variables.  You should set the $INTERNAL var to the address of the
network that you're defending and the $EXTERNAL address to the inverse
of that value (if you're not concerned about the insider threat).  It
looks to me like you're running Snort on your gateway host (for a cable
modem or DSL line) that's providing NAT/forwarding for an internal
network?  If this is the case, you want to set the INTERNAL var to your
*external* (internet facing) interface address, not the address of your
internal machines.  Your external interface is the one that's going to
see the attacks.  

This is all hypothetical, but if it's really what you're trying to
accomplish let us know and tell us if it worked for you...

    -Marty

Stuart Larson wrote:
> 
> Maybe I live in a quiet corner of the net, but it doesn't seem like Snort is
> logging anything.  I'm on a FreeBSD system and I'm using version snort-1.7
> from ports.  I downloaded the vision.conf rulseset and made only minor
> changes to it (I changed INTERNAL to "var INTERNAL 10.0.0.0/24" and EXTERNAL
> to "var EXTERNAL !10.0.0.0/24" -- I have two interfaces.  dc0 is external
> and is given an IP address by DHCP.  dc1 is internal and has a 10.0.0.0/24
> address space (it's 10.0.0.1).  I call snort with:
> 
>     /usr/local/bin/snort -Dde -A full -c /usr/local/share/snort/vision.conf
> 
> The ONLY time I've seen snort log ANYTHING was when I did a nessus scan of
> another computer on our school network.  That was the one time I've seen
> logging.  I've done other nessus scans of other computers on the network,
> and have not seen any logging from those scans.
> 
> For other information:
> 
> berton:[/usr/local/share/snort]$ uname -a
> FreeBSD berton.dyndns.org 4.3-BETA FreeBSD 4.3-BETA #3: Mon Mar 19 00:34:00
> CST 2001     root at ...1670...:/usr/obj/usr/src/sys/PUDU  i386
> 
> dmesg output:
> 
> Copyright (c) 1992-2001 The FreeBSD Project.
> Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
>         The Regents of the University of California. All rights reserved.
> FreeBSD 4.3-BETA #3: Mon Mar 19 00:34:00 CST 2001
>     root at ...1670...:/usr/obj/usr/src/sys/PUDU
> Timecounter "i8254"  frequency 1193182 Hz
> CPU: Pentium/P54C (132.96-MHz 586-class CPU)
>   Origin = "GenuineIntel"  Id = 0x52b  Stepping = 11
>   Features=0x1bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8>
> real memory  = 50331648 (49152K bytes)
> avail memory = 46469120 (45380K bytes)
> Preloaded elf kernel "kernel" at 0xc028f000.
> Intel Pentium detected, installing workaround for F00F bug
> npx0: <math processor> on motherboard
> npx0: INT 16 interface
> pcib0: <Host to PCI bridge> on motherboard
> pci0: <PCI bus> on pcib0
> isab0: <Intel 82371FB PCI to ISA bridge> at device 7.0 on pci0
> isa0: <ISA bus> on isab0
> atapci0: <Intel PIIX ATA controller> port 0xffa0-0xffaf at device 7.1 on
> pci0
> ata0: at 0x1f0 irq 14 on atapci0
> ata1: at 0x170 irq 15 on atapci0
> dc0: <LC82C115 PNIC II 10/100BaseTX> port 0xf800-0xf8ff mem
> 0xfffbf800-0xfffbf8ff irq 9 at device 13.0 on pci0
> dc0: Ethernet address: 00:a0:cc:e7:7b:a4
> miibus0: <MII bus> on dc0
> dcphy0: <Intel 21143 NWAY media interface> on miibus0
> dcphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
> dc1: <ADMtek AN985 10/100BaseTX> port 0xfc00-0xfcff mem
> 0xfffbfc00-0xfffbffff irq 10 at device 14.0 on pci0
> dc1: Ethernet address: 00:20:78:1c:27:2a
> miibus1: <MII bus> on dc1
> ukphy0: <Generic IEEE 802.3u media interface> on miibus1
> ukphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
> pci0: <Matrox MGA Millennium 2064W graphics accelerator> at 15.0 irq 11
> fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0
> fdc0: FIFO enabled, 8 bytes threshold
> fd0: <1440-KB 3.5" drive> on fdc0 drive 0
> atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
> atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
> kbd0 at atkbd0
> vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
> sc0: <System console> at flags 0x100 on isa0
> sc0: VGA <16 virtual consoles, flags=0x300>
> sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
> sio0: type 16550A
> sio1: configured irq 3 not in bitmap of probed irqs 0
> IP packet filtering initialized, divert enabled, rule-based forwarding
> enabled, default to deny, logging limited to 100 packets/entry by default
> IP Filter: v3.4.16 initialized.  Default = pass all, Logging = enabled
> ad0: 12949MB <Maxtor 51369U3> [26310/16/63] at ata0-master WDMA2
> acd0: CDROM <CREATIVE CD5233E> at ata1-master using WDMA2
> Mounting root from ufs:/dev/ad0s1a
> dc1: failed to force tx and rx to idle state
> dc0: promiscuous mode enabled
> 
> Hopefully someone will be able to help me on this one.  Thanks for any help!
> 
> Stuart Larson
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list