: [Snort-users] Configuration HELP! (understanding alerts and proxies)

Matt Kettler mkettler at ...4108...
Wed Jun 12 15:50:03 EDT 2002


Ok, that clears things up a little bit.



First question what version of snort are you running?

You've said it's a 1.8 win32 port. Which one? If it is older than snort 
1.8.5, upgrade. Some members of the 1.8.x family had very significant bugs 
and I'd not even bother trying to determine if it's a config file problem 
if you're running one. (ie: strange bugs in stream processing, strange bugs 
in the frag reassembler)

http://www.snort.org/dl/binaries/

In general your config in your original email looks "good" at first glance, 
and that alert should not have occurred unless the proxy attempt rule you 
are using is any -> any instead of EXTERNAL_NET -> HOME_NET.

You could try this:

replace this:

var HOME_NET x.x.x.243/32

with

var HOME_NET [x.x.x.243/32]

I know you should only need the braces for multi-IP cases, but I always use 
them myself. I doubt it will fix it, but won't take long to try.



At 11:51 AM 6/12/2002 -1000, Jason Martin wrote:
>Let me follow-up on this before I get similar responses. I don't think I was
>very clear.
>x.x.90.77 is a test machine I am using to scan my x.x.90.243 machine.  The
>proxy scan is part of the scan I am using to emulate a PROXY scan attempt.
>The problem is the scan was from x.x.x.77 but my logs only show the ACK of
>my machine responding to x.x.x.77's request SYN port scan of my machine on
>that port.  None of the other signatures for the port scan show up, in fact
>the only reason this was logged was because of the traffic generated by
>x.x.x.243.  I'm looking for someone to point out where I misconfigured my
>config file so that it is detecting ONLY traffic generated by x.x.x.243 even
>though I have it in my portscan-ignore section.  I guess it's two part;  why
>is it not detecting any external scans, and why is it not pre-processing my
>ignore variable.
>Problem in a nutshell:
>IDS Signatures when scans are run from x.x.x.243 are captured in Logs.  ALL
>scans from various other tests machines against x.x.x.243 do not log.  I do
>however see the traffic when I am running snort -dev -c snort.conf, so the
>interface is grabbing the packets.  I think I mis-configured my config file
>so it doesn't know how to properly alert me.  Or I'm just not making any
>sense and the way I'm phrasing my problem isn't coming across correctly.  I
>hope this made things a little clearer.
>         ~Jason





More information about the Snort-users mailing list