[Snort-users] Configuration issue, Part II

DJDave Sobel dave at ...3559...
Sun Sep 23 20:13:02 EDT 2001


First off, thanks to everyone who's lended a hand -- I do appreciate it.
Let me know where to send the coffee and/or beer...

Now, to save bandwidth, I compiled my answers to everyone's questions
into this one email. :) Thus, those not interested only need ignore one
message.

First off, to answer Erik Adams (erek at ...577...):
	Tell me where to send your beer... Snort is located on my Linux
router, so it's on a machine with 6 network interfaces.  Two are
connected to the Internet, and four are to the internal networks.  I use
ipchains to block various unfriendly traffic, and control who can see
who, but all traffic passes across this machine.  All the interfaces
have been put into PROMISC mode (as I believed snort needed this).
It's placement on this machine would make me think it can see everything
that goes in and out of the network.
	It CAN see some traffic -- it does happily report on things it
sees internally, such as samba communications and nameserver
communications within the network.  Additionally, it does seem to report
occasional things from the outside.  
	I performed this test, per your instructions:
		snort -dv host <webserver_IP>
	Snort displayed a great deal about communications going on
within the network.   However, only things within the network for the
time I watched.
	I then went to route-server.cerf.net and pinged the same
webserver -- it did NOT report anything.

Next, John Sage (jsage at ...2022...):
	I had the same thought you did, but was expecting rules located
in web-iis.rules that contain the .ida access attempt to throw something
every time a default.ida was requested.  They haven't, so I'm assuming
there's something else wrong.

Now, John Berkers (berjo at ...827...):
	Where do you want your coffee?  As for output plugins, you're
right -- I didn't configure any.  However, even in this state, snort
does log alerts to /var/log/snort/alert and /var/log/snort/portscan.log
.  I assumed this was the default configuration, and this works for my
needs right now.  I thought I'd get it working before adding on a mySQL
backend and such.  
	Is this not a true assumption?  If so, cool... if not, then why
is it logging to these two files even without me saying so?

Finally, Brian (bmc at ...950...):  
	Thanks for the catch on the portscan config.  I've now set
DNS_SERVERS to only be a remote DNS server I work with.

Thanks again for the help and insight everyone -- I do appreciate it.

Dave

Stripped down snort.conf for your reading amusement, and remind you of
the problem:

var HOME_NET
[209.190.196.160/28,209.190.206.65/32,209.190.206.66/32,209.190.206.64/3
2,10.1.0.0/24,10.2.0.0/24]
var EXTERNAL_NET !$HOME_NET
var SMTP $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS [207.196.42.2/32]
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
include classification.config
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include x11.rules
include icmp.rules
include misc.rules
include local.rules





More information about the Snort-users mailing list