[Snort-users] Honeynet Project - Update to our snort.conf
lance at ...2024...
Fri Mar 1 12:31:48 EST 2002
The Honeynet Project has made a change to its standard
snort.conf configuration file. The snort.conf file
posted on the Honeynet website (now updated)
had a flaw and could fail to log non-standard IP protocols.
Team member Michael Clark discovered this when one of his
Honeynets was compromised. This is a problem with our
configuration of the snort.conf file and has NOTHING to do
with Snort itself.
In the past, we logged network traffic as follows:
# Logging tcp
log tcp any any <> $HOME_NET any (msg: "Unmatched TCP";session: printable;)
# Logging udp
log udp any any <> $HOME_NET any (msg: "Unmatched UDP";session: printable;)
# Logging icmp
log icmp any any <> $HOME_NET any (msg: "Unmatched ICMP";session: printable;)
There is a MAJOR flaw with this logging configuration, it ASSUMES
the bad guys will ONLY use TCP/UDP/ICMP. There are MANY other IP
protocols that can and are actively being used. As such, these
log entries have now been replaced with this single entry, which
logs ALL IP traffic.
log ip any any <> $HOME_NET any (msg: "Snort Unmatched"; session: printable;)
As usual, its the simple, obvious things that kick you in the butt.
I've been screwing this up for years, and Michael found it within a
month of deploying his Honeynet. Dooh! :-0
More information about the Snort-users