[Snort-users] Is this config. ok

Kenny D bitored2002 at ...3162...
Thu Feb 21 08:35:13 EST 2002


Yes, but if the snort host only looks at the firewall
port the scan on the internal network will be across
the switch and the only 2 ports involved is the port
being scanned and my workstation port which is
scanning. Snort wont see it because it doesnt go via
the port its looking at.

I am right or wrong? 

--- Mike_Sands at ...5033... wrote: > 
> you should see the scan if it is targeted to the
> snort host. for example if
> my snort server is 172.16.1.5 and i run a the
> following command on my
> workstation
> 
> 
> # nmap 192.168.5.28
> 
> Starting nmap V. 2.53 by fyodor at ...306... (
> www.insecure.org/nmap/ )
> Interesting ports on  (172.16.1.5):
> (The 1518 ports scanned but not shown below are in
> state: closed)
> Port       State       Service
> 22/tcp     open        ssh
> 80/tcp     open        http
> 111/tcp    open        sunrpc
> 443/tcp    open        https
> 3306/tcp   open        mysql
> 
> Nmap run completed -- 1 IP address (1 host up)
> scanned in 1 second
> 
> 
> I should see the above scan in my snort logs.
> 
> Mike Sands
> ecurity / Network Engineer Office: (585) 214-1936
> Fax: (585) 295-7162
> Cell: 716-303-3245
> Element K
> 'the knowledge catalyst'
> www.elementk.com
> 
> 
>                                                     
>                                                     
>                                        
>                     Kenny D                         
>                                                     
>                                        
>                     <bitored2002 at ...3162...>      
>     To:     Mike_Sands at ...5033...                 
>                                        
>                     Sent by:                        
>     cc:     snort users
> <snort-users at lists.sourceforge.net>                 
>                
>                     snort-users-admin at ...635...   
>                                                     
>                                        
>                     eforge.net                      
>     Subject:     Re: [Snort-users] Is this config.
> ok                                       
>                                                     
>                                                     
>                                        
>                                                     
>                                                     
>                                        
>                     02/21/2002 10:37 AM             
>                                                     
>                                        
>                                                     
>                                                     
>                                        
>                                                     
>                                                     
>                                        
> 
> 
> 
> 
> Mike,
> 
> The variable is set to DNS hosts (i havent specified
> any). When i scan from inside i dont get any alerts.
> However i have a switched environment and all that
> is
> replicated to snort is traffic from the firewall
> destined for the inside therefore i would not expect
> an internal scan to work, unless i had hubs. Does
> this
> sound correct?
> 
> When i changed by home network to any and port
> mirroring to receive and transmit and then do a scan
> i
> got alerts.
> 
> So i proved snort works, correct?
> 
> So to recap if i redirect incoming traffic on the
> firewalls inside interface to snort and dont get any
> alerts it means my firewall is doingt a good job
> because with the above we proved snort works.
> 
> Again i really appreciate your help as i hope to put
> this into production soon, just want to make sure i
> have set things up correctly.
> --- Mike_Sands at ...5033... wrote: >
> > no it should only ignore scans that are in the
> > portscan-ignorehosts
> > variable
> >
> > Mike Sands
> > Security / Network Engineer
> > Office: (585) 214-1936
> > Fax: (585) 295-7162
> > Cell: 716-303-3245
> > Element K
> > 'the knowledge catalyst'
> > www.elementk.com
> >
> >
> > |--------+--------------------------------------->
> > |        |          Kenny D                      |
> > |        |          <bitored2002 at ...3162...>   |
> > |        |          Sent by:                     |
> > |        |          snort-users-admin at ...635...|
> > |        |          eforge.net                   |
> > |        |                                       |
> > |        |                                       |
> > |        |          02/21/2002 09:27 AM          |
> > |        |                                       |
> > |--------+--------------------------------------->
> >
> >
> >
>
------------------------------------------------------------------------------------------------------------|
> 
> >   |
> >
> >      |
> >   |       To:     Mike_Sands at ...5033...
> >
> >      |
> >   |       cc:     snort users
> > <snort-users at lists.sourceforge.net>
> >                             |
> >   |
> >
> >      |
> >   |       Subject:     Re: [Snort-users] Is this
> > config. ok
> >          |
> >
> >
> >
>
------------------------------------------------------------------------------------------------------------|
> 
> >
> >
> >
> >
> >
> > If its setup right should it not ignore scans from
> > the
> > inside and only look from scans coming for the
> > outside. Is that not the default way snort works?
> >
> > I set up my port mirroring for traffic that my
> > inside
> > interface recieves (ie going towards my inside
> > private
> > network).
> >
> > Thanks.
> >
> > --- Mike_Sands at ...5033... wrote: >
> > > It looks right. you may be right that your
> > firewall
> > > is doing a good job. As
> > > a test you could run a scan on the box directly
> > from
> > > a machine that is
> > > behind the firewall. If snort alerts on the scan
> > > then things are probably
> > > good.
> > >
> > > Mike Sands
> > > Security / Network Engineer
> > > Office: (585) 214-1936
> > > Fax: (585) 295-7162
> > > Cell: 716-303-3245
> > > Element K
> > > 'the knowledge catalyst'
> > > www.elementk.com
> > >
> > >
> > >
> > >
> > >
> > >                     Kenny D
> > >
> > >
> > >                     <bitored2002 at ...5036...        To:
> > > Mike_Sands at ...5033...
> > >
> 
=== message truncated === 

http://movies.yahoo.com.au - Yahoo! Movies
- Vote for your nominees in our online Oscars pool.




More information about the Snort-users mailing list