[Snort-users] Configuration issue, Part II

John Sage jsage at ...2022...
Tue Sep 25 05:26:01 EDT 2001


Bob:

Bob Hillegas wrote:

> John, I too use a dialup ppp connection on a firwall/IDS box. But I see
> less than one percent of traffic and rarely see any packets that IPChains
> logs, and I do log every DENY, REJECT.


Remember that you may have to tell snort to look at what you want to 
see; I'm logging or alerting on *everything* via my own rules..

 
> You showed your command line. Do you mind sharing your 'cat snort.conf |
> grep -v ^# | grep -v ^$'?
> 


Here you go:

var HOME_NET $ppp0_ADDRESS
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET

preprocessor frag2
preprocessor stream4: detect_scans, detect_state_problems
preprocessor stream4_reassemble: ports all
preprocessor unidecode: 80
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log

output alert_syslog: LOG_DAEMON LOG_ALERT
output alert_full: /var/log/snort/alertREL.full

include classification.config

alert tcp 127.0.0.0/8 any -> $HOME_NET any (msg: "Alert: tcp from 127 
block";)
alert udp 127.0.0.0/8 any -> $HOME_NET any (msg: "Alert: udp from 127 
block";)
alert icmp 127.0.0.0/8 any -> $HOME_NET any (msg: "Alert: icmp from 127 
block";)

alert tcp 192.168.0.0/16 any -> $HOME_NET any (msg: "Alert: tcp from 
192-168 block";)
alert udp 192.168.0.0/16 any -> $HOME_NET any (msg: "Alert: udp from 
192-168 block";)
alert icmp 192.168.0.0/16 any -> $HOME_NET any (msg: "Alert: icmp from 
192-168 block";)

alert tcp 10.0.0.0/8 any -> $HOME_NET any (msg: "Alert: tcp from 10 block";)
alert udp 10.0.0.0/8 any -> $HOME_NET any (msg: "Alert: udp from 10 block";)
alert icmp 10.0.0.0/8 any -> $HOME_NET any (msg: "Alert: icmp from 10 
block";)

alert tcp 172.16.0.0/12 any -> $HOME_NET any (msg: "Alert: tcp from 
172-[16-31] block";)
alert udp 172.16.0.0/12 any -> $HOME_NET any (msg: "Alert: udp from 
172-[16-31] block";)
alert icmp 172.16.0.0/12 any -> $HOME_NET any (msg: "Alert: icmp from 
172.[16-31] block";)

include /usr/local/snort-1.8.1-RELEASE/tcpREL-local-lib
include /usr/local/snort-1.8.1-RELEASE/udpREL-local-lib
include /usr/local/snort-1.8.1-RELEASE/icmpREL-local-lib


OK: so what's going on with the last?

Again, what I'm doing is -b binary logging *everything* via my own 
rules; later on I run the logs against more conventional snort rules for 
analysis with a couple aliases:

alias snort18view='snort18 -dv -i ppp0 -P 2000 -r '

and

alias snort18check='snort18 -dv -i ppp0 -l . -P 2000 -c 
/usr/local/snort-1.8.1-beta4/snort18check.conf -r '

that are in my .bashrc  (heh.. and which I can see I need to update to 
RELEASE ;-)


My /usr/local/snort-1.8.1-RELEASE/*REL-local-lib rules files look 
something like this:

<snip>
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"TCP to 110 pop3";)
log tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"TCP from 110 pop3";)
# alert to, log from
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"TCP to 111 sunrpc";)
alert tcp $EXTERNAL_NET 111 -> $HOME_NET any (msg:"TCP from 111 sunrpc";)
# tcp only: alert to, log from
<snip>

So for all ports, I'm either logging or alerting, either on specific 
ports (as above..) or on port ranges as below:

<snip>
#
log tcp $EXTERNAL_NET any -> $HOME_NET 61000:65095 (msg:"TCP to masq 
range";)
alert tcp $EXTERNAL_NET 61000:65095 -> $HOME_NET any (msg:"TCP from masq 
range";)
# alert from until we see some, log to always
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 65096:65535 (msg:"TCP beyond 
masq";)
alert tcp $EXTERNAL_NET 65096:65535 -> $HOME_NET any (msg:"TCP beyond 
masq";)
# alert from until we see some, alert to always
#
<snip>


So this makes sure that snort is either logging or alerting on *every* 
packet (heh.. tcp, udp or icmp anyway..) that comes in.

HTH..

- John


-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."





More information about the Snort-users mailing list