[Snort-users] Configuration issue, Part II

Erek Adams erek at ...577...
Sun Sep 23 23:25:01 EDT 2001

On Sun, 23 Sep 2001, DJDave Sobel wrote:

> First off, thanks to everyone who's lended a hand -- I do appreciate it.
> Let me know where to send the coffee and/or beer...


> Now, to save bandwidth, I compiled my answers to everyone's questions
> into this one email. :) Thus, those not interested only need ignore one
> message.
> First off, to answer Erik Adams (erek at ...577...):
> 	Tell me where to send your beer... Snort is located on my Linux
> router, so it's on a machine with 6 network interfaces.  Two are
> connected to the Internet, and four are to the internal networks.  I use
> ipchains to block various unfriendly traffic, and control who can see

Ahhhh....  I think I see a possible problem!  Have a look at this:


Basically, snort sits 'behind' the ipchains and ipf programs.  They see the
packets before snort does.  If you've got things setup to drop/deny packets
that you are expecting to see with snort, then you won't.

> who, but all traffic passes across this machine.  All the interfaces
> have been put into PROMISC mode (as I believed snort needed this).
> It's placement on this machine would make me think it can see everything
> that goes in and out of the network.

As well it should.

> 	It CAN see some traffic -- it does happily report on things it
> sees internally, such as samba communications and nameserver
> communications within the network.  Additionally, it does seem to report
> occasional things from the outside.
> 	I performed this test, per your instructions:
> 		snort -dv host <webserver_IP>
> 	Snort displayed a great deal about communications going on
> within the network.   However, only things within the network for the
> time I watched.
> 	I then went to route-server.cerf.net and pinged the same
> webserver -- it did NOT report anything.

Odd.  Depending on your firewall rules, this might be expected.  Unless you
are blocking packets, you should see the ping traffic in the snort window.


> Now, John Berkers (berjo at ...827...):
> 	Where do you want your coffee?  As for output plugins, you're
> right -- I didn't configure any.  However, even in this state, snort
> does log alerts to /var/log/snort/alert and /var/log/snort/portscan.log
> .  I assumed this was the default configuration, and this works for my
> needs right now.  I thought I'd get it working before adding on a mySQL
> backend and such.

Good idea.  Getting ACID up and running is not hard task, it's just got a lot
of dependencies.

> 	Is this not a true assumption?  If so, cool... if not, then why
> is it logging to these two files even without me saying so?

True sir!


I _really_ don't think it's your configs.  Your configs look quite sane to
me--Oh wait, I'm not sane....  :)  Seriously, they look fine.  The only things
that were amiss were corrected already.

Hold on...  You've got 2 external interfaces?  When you start snort which
interface are you telling it to watch?  If you don't specify, it will look at
the lowest numbered one.  If your traffic is coming in via the other
interface, then that would explain it.  (Yeah, I could have deleted all that
and re-written, but I'm lazy. ;-)

Good luck!

Erek Adams

More information about the Snort-users mailing list