[Snort-users] Configuration HELP!
jmartin at ...6065...
Wed Jun 12 13:18:02 EDT 2002
Configuration: Snort WIN32 1.8 port on a Win2k Pro.
Running snort from the command line:
Snort -dev -c snort.conf
Below is a snippet of my config file.
I tried to set my variables so that only my PC would be considered "home"
and snort would treat all other packets as being external. However, Snort
is not logging IDS alerts except for activity from my machine (var
HOME_NET). If I scan Snort machine from a test machine it detects nothing.
As soon as I scan the test machine with my Snort machine, Snort lights up.
To alleviate this problem I placed my IP address in the preprocessor
portscan-ignorehosts section, that didn't work either. It is still alarming
off of traffic sent from my PC.
I must have mis-configured something and was hoping someone could shed some
light on the situation.
I've also noticed that any trigger events that do happen to be logged, all
show traffic flow coming from my machine.
**] [1:615:3] SCAN SOCKS Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/10-11:40:24.538093 x.x.x.243:1282 -> x.x.x.77:1080
TCP TTL:128 TOS:0x0 ID:22013 IpLen:20 DgmLen:48 DF
******S* Seq: 0xDA7C045C Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
[Xref => http://help.undernet.org/proxyscan/
The x.x.x.77 machine is the machine that was scanning me, but the traffic
flow shows my machine responding to the proxy scan, it did not create an
event showing a scan coming from the scanning machine. When I look at this,
it makes me think I was scanning x.x.x.77. Or, am I just misunderstanding
Thanks in advance for any help.
var HOME_NET x.x.x.243/32
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var RULE_PATH /rules
preprocessor stream4: detect_scans
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor portscan: $EXTERNAL_NET 2 1 portscan.log
preprocessor portscan-ignorehosts: $HOME_NET
This email message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure, or distribution
is prohibited. If you are not the intended recipient, please contact
the sender by reply e-mail and destroy all copies of the original message.
More information about the Snort-users