[Snort-users] Is this config. ok

Kenny D bitored2002 at ...3162...
Thu Feb 21 07:38:05 EST 2002


Mike,

The variable is set to DNS hosts (i havent specified
any). When i scan from inside i dont get any alerts.
However i have a switched environment and all that is
replicated to snort is traffic from the firewall
destined for the inside therefore i would not expect
an internal scan to work, unless i had hubs. Does this
sound correct?

When i changed by home network to any and port
mirroring to receive and transmit and then do a scan i
got alerts. 

So i proved snort works, correct?

So to recap if i redirect incoming traffic on the
firewalls inside interface to snort and dont get any
alerts it means my firewall is doingt a good job
because with the above we proved snort works.

Again i really appreciate your help as i hope to put
this into production soon, just want to make sure i
have set things up correctly.
--- Mike_Sands at ...5033... wrote: > 
> no it should only ignore scans that are in the
> portscan-ignorehosts
> variable
> 
> Mike Sands
> Security / Network Engineer
> Office: (585) 214-1936
> Fax: (585) 295-7162
> Cell: 716-303-3245
> Element K
> 'the knowledge catalyst'
> www.elementk.com
> 
> 
> |--------+--------------------------------------->
> |        |          Kenny D                      |
> |        |          <bitored2002 at ...3162...>   |
> |        |          Sent by:                     |
> |        |          snort-users-admin at ...635...|
> |        |          eforge.net                   |
> |        |                                       |
> |        |                                       |
> |        |          02/21/2002 09:27 AM          |
> |        |                                       |
> |--------+--------------------------------------->
>  
>
>------------------------------------------------------------------------------------------------------------|
>   |                                                 
>                                                     
>      |
>   |       To:     Mike_Sands at ...5033...           
>                                                     
>      |
>   |       cc:     snort users
> <snort-users at lists.sourceforge.net>                 
>                             |
>   |                                                 
>                                                     
>      |
>   |       Subject:     Re: [Snort-users] Is this
> config. ok                                          
>          |
>  
>
>------------------------------------------------------------------------------------------------------------|
> 
> 
> 
> 
> 
> If its setup right should it not ignore scans from
> the
> inside and only look from scans coming for the
> outside. Is that not the default way snort works?
> 
> I set up my port mirroring for traffic that my
> inside
> interface recieves (ie going towards my inside
> private
> network).
> 
> Thanks.
> 
> --- Mike_Sands at ...5033... wrote: >
> > It looks right. you may be right that your
> firewall
> > is doing a good job. As
> > a test you could run a scan on the box directly
> from
> > a machine that is
> > behind the firewall. If snort alerts on the scan
> > then things are probably
> > good.
> >
> > Mike Sands
> > Security / Network Engineer
> > Office: (585) 214-1936
> > Fax: (585) 295-7162
> > Cell: 716-303-3245
> > Element K
> > 'the knowledge catalyst'
> > www.elementk.com
> >
> >
> >
> >
> >
> >                     Kenny D
> >
> >
> >                     <bitored2002 at ...5036...        To:
> > Mike_Sands at ...5033...
> >
> >                     oo.com.au>              cc:
> > snort users <snort-users at lists.sourceforge.net>
> >
> >
> >
> >
> >                     02/21/2002 07:28       
> Subject:
> >     Re: [Snort-users] Is this config. ok
> >
> >                     AM
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Hi,
> >
> > By very quiet i mean no alerts whatsoever, i
> assume
> > a). my router and firewall is doing a good or b).
> i
> > have do something wrong.
> >
> > When i an a rule for any traffic coming in i see
> > plenty going on so maybe my config is ok. An
> > external
> > scna using superscan gave nothing. The snort
> options
> > i
> > use are as follows
> >
> > c:\snort.exe -c c:\snort\snort.conf -h
> 172.17.1.0/24
> > -i 1
> >
> > Does this all sound rerasonable,
> >
> > Appreciate your comments.
> >
> > --- Mike_Sands at ...5033... wrote: >
> > > It sounds like you have everything set up
> > correctly.
> > > By "very quiet" do you
> > > mean that there are no alerts at all? If you did
> > > some sort of nmap scan of
> > > the internal network I really should show up in
> > your
> > > portscan.log file.
> > > Just for Yuks you may want to try and set your
> > home
> > > network to 'any' and
> > > scan again. Also how are you running snort? What
> > > flags are you using on the
> > > command line?
> > >
> > > Mike Sands
> > > Security / Network Engineer
> > > Office: (585) 214-1936
> > > Fax: (585) 295-7162
> > > Cell: 716-303-3245
> > > Element K
> > > 'the knowledge catalyst'
> > > www.elementk.com
> > >
> > >
> > >
> > >
> > >
> > >                     Kenny D
> > >
> > >
> > >                     <bitored2002 at ...3162...>
> > >     To:     snort users
> > > <snort-users at lists.sourceforge.net>
> > >
> > >                     Sent by:
> > >     cc:
> > >
> > >                    
> snort-users-admin at ...635...
> > >
> > >
> > >                     eforge.net
> > >     Subject:     [Snort-users] Is this config.
> ok
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >                     02/20/2002 12:02 PM
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> 
=== message truncated === 

http://movies.yahoo.com.au - Yahoo! Movies
- Vote for your nominees in our online Oscars pool.




More information about the Snort-users mailing list