[Snort-users] Is this config. ok

Kenny D bitored2002 at ...3162...
Thu Feb 21 06:28:16 EST 2002


 
If its setup right should it not ignore scans from the
inside and only look from scans coming for the
outside. Is that not the default way snort works?

I set up my port mirroring for traffic that my inside
interface recieves (ie going towards my inside private
network).

Thanks.

--- Mike_Sands at ...5033... wrote: > 
> It looks right. you may be right that your firewall
> is doing a good job. As
> a test you could run a scan on the box directly from
> a machine that is
> behind the firewall. If snort alerts on the scan
> then things are probably
> good.
> 
> Mike Sands
> Security / Network Engineer
> Office: (585) 214-1936
> Fax: (585) 295-7162
> Cell: 716-303-3245
> Element K
> 'the knowledge catalyst'
> www.elementk.com
> 
> 
>                                                     
>                                                     
>                                         
>                     Kenny D                         
>                                                     
>                                         
>                     <bitored2002 at ...5036...        To:    
> Mike_Sands at ...5033...                             
>                                          
>                     oo.com.au>              cc:    
> snort users <snort-users at lists.sourceforge.net>     
>                                          
>                                                     
>                                                     
>                                         
>                     02/21/2002 07:28        Subject:
>     Re: [Snort-users] Is this config. ok            
>                                         
>                     AM                              
>                                                     
>                                         
>                                                     
>                                                     
>                                         
>                                                     
>                                                     
>                                         
> 
> 
> 
> 
> Hi,
> 
> By very quiet i mean no alerts whatsoever, i assume
> a). my router and firewall is doing a good or b). i
> have do something wrong.
> 
> When i an a rule for any traffic coming in i see
> plenty going on so maybe my config is ok. An
> external
> scna using superscan gave nothing. The snort options
> i
> use are as follows
> 
> c:\snort.exe -c c:\snort\snort.conf -h 172.17.1.0/24
> -i 1
> 
> Does this all sound rerasonable,
> 
> Appreciate your comments.
> 
> --- Mike_Sands at ...5033... wrote: >
> > It sounds like you have everything set up
> correctly.
> > By "very quiet" do you
> > mean that there are no alerts at all? If you did
> > some sort of nmap scan of
> > the internal network I really should show up in
> your
> > portscan.log file.
> > Just for Yuks you may want to try and set your
> home
> > network to 'any' and
> > scan again. Also how are you running snort? What
> > flags are you using on the
> > command line?
> >
> > Mike Sands
> > Security / Network Engineer
> > Office: (585) 214-1936
> > Fax: (585) 295-7162
> > Cell: 716-303-3245
> > Element K
> > 'the knowledge catalyst'
> > www.elementk.com
> >
> >
> >
> >
> >
> >                     Kenny D
> >
> >
> >                     <bitored2002 at ...3162...>
> >     To:     snort users
> > <snort-users at lists.sourceforge.net>
> >
> >                     Sent by:
> >     cc:
> >
> >                     snort-users-admin at ...635...
> >
> >
> >                     eforge.net
> >     Subject:     [Snort-users] Is this config. ok
> >
> >
> >
> >
> >
> >
> >
> >                     02/20/2002 12:02 PM
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Hi,
> >
> > I have setup snort and it is very quiet. I just
> want
> > to make sure everything i done is correct. I have
> > set
> > it up as follows
> >
> > internet -- router --- (public ip
> > outside)pix(inside172.16.1.1) --- (172.16.1.2)
> > 3005Concentrator (172.17.1.1) --- my inside
> network
> > on
> > 172.17.1.0
> >
> > My snort machine is monitoring all traffic coming
> > from
> > the pix inside interface, i am using span port
> > mirroring on my switch. When i turn on alert tcp
> any
> > any -> any any i do see plenty of traffic going
> back
> > and forward. However when i turn it off it is very
> > quiet. I assume my router and firewall is doing a
> > good
> > job but how can i be sure it all works. An
> external
> > scan didnt create any alerts. I set my home
> network
> > in
> > snort to 172.17.1.0
> >
> > Can anyone help me here?
> >
> > Thanks.
> >
> > http://movies.yahoo.com.au - Yahoo! Movies
> > - Vote for your nominees in our online Oscars
> pool.
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> 
> http://movies.yahoo.com.au - Yahoo! Movies
> - Vote for your nominees in our online Oscars pool.
> 
> 
> 
>  

http://movies.yahoo.com.au - Yahoo! Movies
- Vote for your nominees in our online Oscars pool.




More information about the Snort-users mailing list