[Snort-users] Is this config. ok

Mike_Sands at ...5033... Mike_Sands at ...5033...
Thu Feb 21 07:09:45 EST 2002


no it should only ignore scans that are in the portscan-ignorehosts
variable

Mike Sands
Security / Network Engineer
Office: (585) 214-1936
Fax: (585) 295-7162
Cell: 716-303-3245
Element K
'the knowledge catalyst'
www.elementk.com


|--------+--------------------------------------->
|        |          Kenny D                      |
|        |          <bitored2002 at ...3162...>   |
|        |          Sent by:                     |
|        |          snort-users-admin at ...635...|
|        |          eforge.net                   |
|        |                                       |
|        |                                       |
|        |          02/21/2002 09:27 AM          |
|        |                                       |
|--------+--------------------------------------->
  >------------------------------------------------------------------------------------------------------------|
  |                                                                                                            |
  |       To:     Mike_Sands at ...5033...                                                                      |
  |       cc:     snort users <snort-users at lists.sourceforge.net>                                              |
  |                                                                                                            |
  |       Subject:     Re: [Snort-users] Is this config. ok                                                    |
  >------------------------------------------------------------------------------------------------------------|





If its setup right should it not ignore scans from the
inside and only look from scans coming for the
outside. Is that not the default way snort works?

I set up my port mirroring for traffic that my inside
interface recieves (ie going towards my inside private
network).

Thanks.

--- Mike_Sands at ...5033... wrote: >
> It looks right. you may be right that your firewall
> is doing a good job. As
> a test you could run a scan on the box directly from
> a machine that is
> behind the firewall. If snort alerts on the scan
> then things are probably
> good.
>
> Mike Sands
> Security / Network Engineer
> Office: (585) 214-1936
> Fax: (585) 295-7162
> Cell: 716-303-3245
> Element K
> 'the knowledge catalyst'
> www.elementk.com
>
>
>
>
>
>                     Kenny D
>
>
>                     <bitored2002 at ...5036...        To:
> Mike_Sands at ...5033...
>
>                     oo.com.au>              cc:
> snort users <snort-users at lists.sourceforge.net>
>
>
>
>
>                     02/21/2002 07:28        Subject:
>     Re: [Snort-users] Is this config. ok
>
>                     AM
>
>
>
>
>
>
>
>
>
>
>
>
> Hi,
>
> By very quiet i mean no alerts whatsoever, i assume
> a). my router and firewall is doing a good or b). i
> have do something wrong.
>
> When i an a rule for any traffic coming in i see
> plenty going on so maybe my config is ok. An
> external
> scna using superscan gave nothing. The snort options
> i
> use are as follows
>
> c:\snort.exe -c c:\snort\snort.conf -h 172.17.1.0/24
> -i 1
>
> Does this all sound rerasonable,
>
> Appreciate your comments.
>
> --- Mike_Sands at ...5033... wrote: >
> > It sounds like you have everything set up
> correctly.
> > By "very quiet" do you
> > mean that there are no alerts at all? If you did
> > some sort of nmap scan of
> > the internal network I really should show up in
> your
> > portscan.log file.
> > Just for Yuks you may want to try and set your
> home
> > network to 'any' and
> > scan again. Also how are you running snort? What
> > flags are you using on the
> > command line?
> >
> > Mike Sands
> > Security / Network Engineer
> > Office: (585) 214-1936
> > Fax: (585) 295-7162
> > Cell: 716-303-3245
> > Element K
> > 'the knowledge catalyst'
> > www.elementk.com
> >
> >
> >
> >
> >
> >                     Kenny D
> >
> >
> >                     <bitored2002 at ...3162...>
> >     To:     snort users
> > <snort-users at lists.sourceforge.net>
> >
> >                     Sent by:
> >     cc:
> >
> >                     snort-users-admin at ...635...
> >
> >
> >                     eforge.net
> >     Subject:     [Snort-users] Is this config. ok
> >
> >
> >
> >
> >
> >
> >
> >                     02/20/2002 12:02 PM
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Hi,
> >
> > I have setup snort and it is very quiet. I just
> want
> > to make sure everything i done is correct. I have
> > set
> > it up as follows
> >
> > internet -- router --- (public ip
> > outside)pix(inside172.16.1.1) --- (172.16.1.2)
> > 3005Concentrator (172.17.1.1) --- my inside
> network
> > on
> > 172.17.1.0
> >
> > My snort machine is monitoring all traffic coming
> > from
> > the pix inside interface, i am using span port
> > mirroring on my switch. When i turn on alert tcp
> any
> > any -> any any i do see plenty of traffic going
> back
> > and forward. However when i turn it off it is very
> > quiet. I assume my router and firewall is doing a
> > good
> > job but how can i be sure it all works. An
> external
> > scan didnt create any alerts. I set my home
> network
> > in
> > snort to 172.17.1.0
> >
> > Can anyone help me here?
> >
> > Thanks.
> >
> > http://movies.yahoo.com.au - Yahoo! Movies
> > - Vote for your nominees in our online Oscars
> pool.
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
>
> http://movies.yahoo.com.au - Yahoo! Movies
> - Vote for your nominees in our online Oscars pool.
>
>
>
>

http://movies.yahoo.com.au - Yahoo! Movies
- Vote for your nominees in our online Oscars pool.

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users








More information about the Snort-users mailing list