SV: [Snort-users] Snort doesnt detect traffic.
erek at ...577...
Thu May 30 11:36:02 EDT 2002
On Thu, 30 May 2002 Magnus.M.Glantz at ...3584... wrote:
> >>var HOME_NET 192.168.135.0/24
> >>var EXTERNAL_NET !$HOME_NET
> Will that work?
> The scenario when an IP-adress that is not 192.168.135.0/24 comes into the
> net, doesnt exist. there is no routing between the private network i'm
> defending and the Internet/my other private network.
Well, Since the ASCII drawing was a bit funky (hint: Use some
non-proportional font to draw in, it converts over to other terms a lot
better), but If I read it right it's something like:
/ | \
/ | \
/ | \
/ | \
box1 box2 box3
| | |
\ | /
> What i'm afraid, is that box1, box2 or box3 get's hacked (they are conencted
> to the internet) and tries to hack my MsSQL server.. so i wanna sniff for
> known attacks, and traffic that is between box1, box2, box3 <-> mssql
> server, and does not goto the sqlport on the mssql server.
If the above diagram is correct, and I understand correctly, box[1-3] are
directly connected to the net. If those boxes attempt to connect to your
MySQL servr you want snort to trigger an alert. If all boxes are out of the
same private net address space (192.168.135.0/24) then your rule could be
alert any any any -> $SQL_SERVERS !1433 (msg:"Connect to SQL Server!"
This assumes that you've filled in $SQL_SERVERS with the IP of your MySQL box.
My rule syntax might be off a bit, I've left my 'rule book' at the office.
:-( (Corrections welcome!)
> To my knowledge, it is a 'dumb' hub. I know it's not a switch anyways.
> But maybe it got some "switch" properies that is messing up my sniffing?
If it says 10/100 autosensing Hub, then there stands a good (65%+) chance that
it's one of these 'switching hubs' mentioned in that FAQ link. To verify, try
to scrounge up a 10mbs hub and use it there instead. I know thats not a
perfect solution, but it might help.
More information about the Snort-users