[Snort-users] Snort not logging on FreeBSD

Stuart Larson bouche at ...375...
Mon Mar 26 23:59:30 EST 2001


Yes, that was my problem.  I'm not sure if the documentation is at fault, it
was more of a clarification made by you  and a few others about what exactly
Snort was doing and what it needed to be looking at to work it's best.  I've
since gotten it up and running and catching the port scans by the
bushel-load.  Thanks a lot all!

Stuart

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Martin
> Roesch
> Sent: Monday, March 26, 2001 7:36 PM
> To: Stuart Larson
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort not logging on FreeBSD
>
>
> I think you've misunderstood the purpose of the $INTERNAL and $EXTERNAL
> variables.  You should set the $INTERNAL var to the address of the
> network that you're defending and the $EXTERNAL address to the inverse
> of that value (if you're not concerned about the insider threat).  It
> looks to me like you're running Snort on your gateway host (for a cable
> modem or DSL line) that's providing NAT/forwarding for an internal
> network?  If this is the case, you want to set the INTERNAL var to your
> *external* (internet facing) interface address, not the address of your
> internal machines.  Your external interface is the one that's going to
> see the attacks.
>
> This is all hypothetical, but if it's really what you're trying to
> accomplish let us know and tell us if it worked for you...
>
>     -Marty
>
> Stuart Larson wrote:
> >
> > Maybe I live in a quiet corner of the net, but it doesn't seem
> like Snort is
> > logging anything.  I'm on a FreeBSD system and I'm using
> version snort-1.7
> > from ports.  I downloaded the vision.conf rulseset and made only minor
> > changes to it (I changed INTERNAL to "var INTERNAL 10.0.0.0/24"
> and EXTERNAL
> > to "var EXTERNAL !10.0.0.0/24" -- I have two interfaces.  dc0
> is external
> > and is given an IP address by DHCP.  dc1 is internal and has a
> 10.0.0.0/24
> > address space (it's 10.0.0.1).  I call snort with:
> >
> >     /usr/local/bin/snort -Dde -A full -c
> /usr/local/share/snort/vision.conf
> >
> > The ONLY time I've seen snort log ANYTHING was when I did a
> nessus scan of
> > another computer on our school network.  That was the one time I've seen
> > logging.  I've done other nessus scans of other computers on
> the network,
> > and have not seen any logging from those scans.
> >
> > For other information:
> >
> > berton:[/usr/local/share/snort]$ uname -a
> > FreeBSD berton.dyndns.org 4.3-BETA FreeBSD 4.3-BETA #3: Mon Mar
> 19 00:34:00
> > CST 2001     root at ...1670...:/usr/obj/usr/src/sys/PUDU  i386
> >
> > dmesg output:
> >
> > Copyright (c) 1992-2001 The FreeBSD Project.
> > Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
> >         The Regents of the University of California. All rights
> reserved.
> > FreeBSD 4.3-BETA #3: Mon Mar 19 00:34:00 CST 2001
> >     root at ...1670...:/usr/obj/usr/src/sys/PUDU
> > Timecounter "i8254"  frequency 1193182 Hz
> > CPU: Pentium/P54C (132.96-MHz 586-class CPU)
> >   Origin = "GenuineIntel"  Id = 0x52b  Stepping = 11
> >   Features=0x1bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8>
> > real memory  = 50331648 (49152K bytes)
> > avail memory = 46469120 (45380K bytes)
> > Preloaded elf kernel "kernel" at 0xc028f000.
> > Intel Pentium detected, installing workaround for F00F bug
> > npx0: <math processor> on motherboard
> > npx0: INT 16 interface
> > pcib0: <Host to PCI bridge> on motherboard
> > pci0: <PCI bus> on pcib0
> > isab0: <Intel 82371FB PCI to ISA bridge> at device 7.0 on pci0
> > isa0: <ISA bus> on isab0
> > atapci0: <Intel PIIX ATA controller> port 0xffa0-0xffaf at device 7.1 on
> > pci0
> > ata0: at 0x1f0 irq 14 on atapci0
> > ata1: at 0x170 irq 15 on atapci0
> > dc0: <LC82C115 PNIC II 10/100BaseTX> port 0xf800-0xf8ff mem
> > 0xfffbf800-0xfffbf8ff irq 9 at device 13.0 on pci0
> > dc0: Ethernet address: 00:a0:cc:e7:7b:a4
> > miibus0: <MII bus> on dc0
> > dcphy0: <Intel 21143 NWAY media interface> on miibus0
> > dcphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
> > dc1: <ADMtek AN985 10/100BaseTX> port 0xfc00-0xfcff mem
> > 0xfffbfc00-0xfffbffff irq 10 at device 14.0 on pci0
> > dc1: Ethernet address: 00:20:78:1c:27:2a
> > miibus1: <MII bus> on dc1
> > ukphy0: <Generic IEEE 802.3u media interface> on miibus1
> > ukphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
> > pci0: <Matrox MGA Millennium 2064W graphics accelerator> at 15.0 irq 11
> > fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq
> 2 on isa0
> > fdc0: FIFO enabled, 8 bytes threshold
> > fd0: <1440-KB 3.5" drive> on fdc0 drive 0
> > atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
> > atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
> > kbd0 at atkbd0
> > vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem
> 0xa0000-0xbffff on isa0
> > sc0: <System console> at flags 0x100 on isa0
> > sc0: VGA <16 virtual consoles, flags=0x300>
> > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
> > sio0: type 16550A
> > sio1: configured irq 3 not in bitmap of probed irqs 0
> > IP packet filtering initialized, divert enabled, rule-based forwarding
> > enabled, default to deny, logging limited to 100 packets/entry
> by default
> > IP Filter: v3.4.16 initialized.  Default = pass all, Logging = enabled
> > ad0: 12949MB <Maxtor 51369U3> [26310/16/63] at ata0-master WDMA2
> > acd0: CDROM <CREATIVE CD5233E> at ata1-master using WDMA2
> > Mounting root from ufs:/dev/ad0s1a
> > dc1: failed to force tx and rx to idle state
> > dc0: promiscuous mode enabled
> >
> > Hopefully someone will be able to help me on this one.  Thanks
> for any help!
> >
> > Stuart Larson
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list