[Snort-users] win2k/snort and weird output

Rommel, Florian Florian.Rommel at ...4844...
Thu Mar 7 06:29:09 EST 2002


Hi all, i run snort on all our web/sql servers that have win2k and on all of them it works fine except 2 of them.
Those 2 are running an application level cluster (in house coded) and Apache together with Resin.
they both have 2 IPs on interface 1,
the snort.conf is here at the bottom that i use.
I then use Demarc to see the alerts from the databases, and i double checked in the mysql database but code red requests do not get logged with the source Ip that they actually came from (as recorded in the access.log in apache) they get as the source IP the 1st IP of the interface and as a destination IP the second ip and that gets logged!!!
Like i said in other servers (running IIS etc) it works well and all attempts get logged withthe REAL source IP and with the destination IP it was meant for.


What to do?...

here's my snort.conf of one of the 2 servers, they are both the same except the idsname and the username/passwd ..

any help would be appreciated.

//Florian

ps: the snort.exe is the same as on all other servers.



var HOME_NET 192.168.2.0/24
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS any
var SQL_SERVERS [192.168.1.12,192.168.1.14,192.168.1.16]
var DNS_SERVERS [192.168.1.2,192.168.1.3]

preprocessor frag2
#preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 15 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS $SQL_SERVERS

output database: log, mysql, user=ids-clust1 dbname=snort host=192.168.1.55 password=XXXX sensor_name=IDS-CLUST1
output database: alert, mysql, user=ids-clust1 dbname=snort host=192.168.1.55 password=XXXX sensor_name=IDS-CLUST1

include classification.config
include bad-traffic.rules
include dos.rules
include ddos.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include web-attacks.rules
include sql.rules
include backdoor.rules




More information about the Snort-users mailing list