[Snort-users] Snort Newbie

Neal Timm ntimm at ...1964...
Sun Sep 16 01:51:01 EDT 2001


You external variable should basically be any which means any traffic coming
in.  the internal should be whatever ip interface snort is listening on.
The log makes sense you just have to have a good understanding of tcp/ip
headers check out http://www.invaultech.com/papers/basic-hex.html this
alarms is from ip 66.31.138.68 port # 1198 going to 66.31.82.9:80 the ttl is
124 which basically is a windows box about 4 hops away the ack flag is set.
You can look at you rules and see how this alarm was triggered.  In short
this is a code red alarm.
  -----Original Message-----
  From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jason Withrow
  Sent: Sunday, September 16, 2001 02:00 AM
  To: snort-users at lists.sourceforge.net
  Subject: PS: [Snort-users] Snort Newbie


  Ok, I think that is the problem, I need to define the IP's as External and
Internal.



  I am guessing (Don't laugh, I am pretty new at this) that the $EXTERNAL
var should be my global internet NIC IP and $INTERNAL should be my intranet
192.168.x.x NIC?



  Also, how does one make any sense out of the packets? This looks pretty
Greek to me.



  [**] IDS552/web-iis_IIS ISAPI Overflow ida [**]

  09/16-02:55:00.611575 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800
len:0x5EA

  66.31.138.68:1198 -> 66.31.82.9:80 TCP TTL:124 TOS:0x0 ID:51642 IpLen:20
DgmLen:1500 DF

  ***A**** Seq: 0xF79A6595  Ack: 0xF0C2A391  Win: 0x4470  TcpLen: 20

  =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



  - J



  -----Original Message-----
  From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jason Withrow
  Sent: Sunday, September 16, 2001 2:52 AM
  To: snort-users at lists.sourceforge.net
  Subject: [Snort-users] Snort Newbie



  Hi,  I just installed the 1.8 win32 build of Snort on a win2k Server.



  I have having a difficult time getting the rule sets to work.



  I think, that I don't have the rules set up properly.

  Do I need to define $INTERNAL and $EXTERNAL as ip/ports somewhere?



  This is just for my home box.



  Here is the sample rule I am trying to get to work.



  alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS552/web-iis_IIS ISAPI
Overflow ida"; dsize: >239; flags: A+; uricontent: ".ida?"; classtype:
system-or-info-attempt; reference: arachnids,552;)



  Thanks for any help, it is greatly appreciated.



  - Jwatch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010916/772b00c3/attachment.html>


More information about the Snort-users mailing list