[Snort-users] Honeynet Project - Update to our snort.conf

Lance Spitzner lance at ...2024...
Fri Mar 1 12:31:48 EST 2002


The Honeynet Project has made a change to its standard
snort.conf configuration file.  The snort.conf file
posted on the Honeynet website (now updated)

   http://project.honeynet.org/papers/honeynet/snort.conf

had a flaw and could fail to log non-standard IP protocols.
Team member Michael Clark discovered this when one of his
Honeynets was compromised.  This is a problem with our
configuration of the snort.conf file and has NOTHING to do
with Snort itself.

In the past, we logged network traffic as follows:

   # Logging tcp
   log tcp any any <> $HOME_NET any (msg: "Unmatched TCP";session: printable;)

   # Logging udp
   log udp any any <> $HOME_NET any (msg: "Unmatched UDP";session: printable;)

   # Logging icmp
   log icmp any any <> $HOME_NET any (msg: "Unmatched ICMP";session: printable;)

There is a MAJOR flaw with this logging configuration, it ASSUMES
the bad guys will ONLY use TCP/UDP/ICMP.  There are MANY other IP
protocols that can and are actively being used.  As such, these
log entries have now been replaced with this single entry, which
logs ALL IP traffic.

   log ip any any <> $HOME_NET any (msg: "Snort Unmatched"; session: printable;)

As usual, its the simple, obvious things that kick you in the butt.
I've been screwing this up for years, and Michael found it within a
month of deploying his Honeynet.  Dooh!  :-0

-- 
Lance Spitzner
http://project.honeynet.org





More information about the Snort-users mailing list