: [Snort-users] Configuration HELP! (understanding alerts and proxies)

Scot Scot scotw at ...125...
Wed Jun 12 23:30:04 EDT 2002


Correct me if I'm wrong on this one, your

 var HOME_NET x.x.x.243/32

is specifing a single host as the HOME_NET. Naturally you will only see
traffic from one host with a single host as a variable.

Have you tried

var HOME_NET any

for troubleshooting purposes?


----- Original Message -----
From: "Matt Kettler" <mkettler at ...4108...>
To: "Jason Martin" <jmartin at ...6065...>; "SNORT LIST (E-mail)"
<snort-users at lists.sourceforge.net>
Sent: Wednesday, June 12, 2002 5:51 PM
Subject: Re: : [Snort-users] Configuration HELP! (understanding alerts and
proxies)


> Ok, that clears things up a little bit.
>
>
>
> First question what version of snort are you running?
>
> You've said it's a 1.8 win32 port. Which one? If it is older than snort
> 1.8.5, upgrade. Some members of the 1.8.x family had very significant bugs
> and I'd not even bother trying to determine if it's a config file problem
> if you're running one. (ie: strange bugs in stream processing, strange
bugs
> in the frag reassembler)
>
> http://www.snort.org/dl/binaries/
>
> In general your config in your original email looks "good" at first
glance,
> and that alert should not have occurred unless the proxy attempt rule you
> are using is any -> any instead of EXTERNAL_NET -> HOME_NET.
>
> You could try this:
>
> replace this:
>
> var HOME_NET x.x.x.243/32
>
> with
>
> var HOME_NET [x.x.x.243/32]
>
> I know you should only need the braces for multi-IP cases, but I always
use
> them myself. I doubt it will fix it, but won't take long to try.
>
>
>
> At 11:51 AM 6/12/2002 -1000, Jason Martin wrote:
> >Let me follow-up on this before I get similar responses. I don't think I
was
> >very clear.
> >x.x.90.77 is a test machine I am using to scan my x.x.90.243 machine.
The
> >proxy scan is part of the scan I am using to emulate a PROXY scan
attempt.
> >The problem is the scan was from x.x.x.77 but my logs only show the ACK
of
> >my machine responding to x.x.x.77's request SYN port scan of my machine
on
> >that port.  None of the other signatures for the port scan show up, in
fact
> >the only reason this was logged was because of the traffic generated by
> >x.x.x.243.  I'm looking for someone to point out where I misconfigured my
> >config file so that it is detecting ONLY traffic generated by x.x.x.243
even
> >though I have it in my portscan-ignore section.  I guess it's two part;
why
> >is it not detecting any external scans, and why is it not pre-processing
my
> >ignore variable.
> >Problem in a nutshell:
> >IDS Signatures when scans are run from x.x.x.243 are captured in Logs.
ALL
> >scans from various other tests machines against x.x.x.243 do not log.  I
do
> >however see the traffic when I am running snort -dev -c snort.conf, so
the
> >interface is grabbing the packets.  I think I mis-configured my config
file
> >so it doesn't know how to properly alert me.  Or I'm just not making any
> >sense and the way I'm phrasing my problem isn't coming across correctly.
I
> >hope this made things a little clearer.
> >         ~Jason
>
>
> _______________________________________________________________
>
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list