[Snort-users] Configuration issue, Part II
dave at ...3559...
Sun Sep 23 20:13:02 EDT 2001
First off, thanks to everyone who's lended a hand -- I do appreciate it.
Let me know where to send the coffee and/or beer...
Now, to save bandwidth, I compiled my answers to everyone's questions
into this one email. :) Thus, those not interested only need ignore one
First off, to answer Erik Adams (erek at ...577...):
Tell me where to send your beer... Snort is located on my Linux
router, so it's on a machine with 6 network interfaces. Two are
connected to the Internet, and four are to the internal networks. I use
ipchains to block various unfriendly traffic, and control who can see
who, but all traffic passes across this machine. All the interfaces
have been put into PROMISC mode (as I believed snort needed this).
It's placement on this machine would make me think it can see everything
that goes in and out of the network.
It CAN see some traffic -- it does happily report on things it
sees internally, such as samba communications and nameserver
communications within the network. Additionally, it does seem to report
occasional things from the outside.
I performed this test, per your instructions:
snort -dv host <webserver_IP>
Snort displayed a great deal about communications going on
within the network. However, only things within the network for the
time I watched.
I then went to route-server.cerf.net and pinged the same
webserver -- it did NOT report anything.
Next, John Sage (jsage at ...2022...):
I had the same thought you did, but was expecting rules located
in web-iis.rules that contain the .ida access attempt to throw something
every time a default.ida was requested. They haven't, so I'm assuming
there's something else wrong.
Now, John Berkers (berjo at ...827...):
Where do you want your coffee? As for output plugins, you're
right -- I didn't configure any. However, even in this state, snort
does log alerts to /var/log/snort/alert and /var/log/snort/portscan.log
. I assumed this was the default configuration, and this works for my
needs right now. I thought I'd get it working before adding on a mySQL
backend and such.
Is this not a true assumption? If so, cool... if not, then why
is it logging to these two files even without me saying so?
Finally, Brian (bmc at ...950...):
Thanks for the catch on the portscan config. I've now set
DNS_SERVERS to only be a remote DNS server I work with.
Thanks again for the help and insight everyone -- I do appreciate it.
Stripped down snort.conf for your reading amusement, and remind you of
var EXTERNAL_NET !$HOME_NET
var SMTP $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS [220.127.116.11/32]
preprocessor stream4: detect_scans
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
More information about the Snort-users