[Snort-users] Help with a config file please?

snort at ...8664... snort at ...8664...
Fri Apr 4 15:23:03 EST 2003


Ok here is the output of snort -v –W (this is exactly as it appears in the
command prompt – I am not sure why interface 1 has 2 spaces before the
\Device call and interface 2 only has 1 such space).

C:\Snort\bin>snort -v -W

-*> Snort! <*-
Version 1.9.1-ODBC-MySQL-WIN32 (Build 231)
By Martin Roesch (roesch at ...1935..., www.snort.org)
1.7-WIN32 Port By Michael Davis (mike at ...92..., www.datanerds.net/~mike)
1.8-1.9 WIN32 Port By Chris Reid (chris.reid at ...3029...)

Interface       Device          Description
-------------------------------------------
1  \Device\NPF_{08C75D44-F35D-4120-84F5-F594F8590373} (Intel(R) PRO Adapter)
2 \Device\NPF_{E9AC5F02-E2A8-487B-B667-F79762A9DF92} (3Com EtherLink PCI)


Now – Interface 1 is bound to IP address 1.2.3.190 that subnet has a mask
of /28 – Eventually I will care about the whole subnet because
servers/services will go up on them but right now the only active IP on
that subnet is the snort device. Now I also care about 5.6.7.0/24 because
in that subnet I have 3 IP addresses that are active (.155, .156 and
.157). I will eventually narrow the scope of HOME_NET down to
[1.2.3.190/28,5.6.7.155/32,5.6.7.156/32,5.6.7.157/32]
So that leaves interface 2 with just a connection to the hub. Interface 2
has no protocols bound to it with the intent of having a port that just
sits there and listens to traffic. When I run snort –v –i2 I see all sorts
of stuff streaming in the window – it goes way too fast (BTW thanks for
the info about snort following BFP like windump I’ll use that to narrow
things down this weekend.).

This is all being fed from a connection to the internet via a Cisco
Aironet wireless radio (out connection to the internet is wireless). The
Ethernet port of that radio goes into a simple 5 port hub. Both of the
snort device interfaces are connected to this hub and so is the firewall
that houses the servers that are running on
5.6.7.155/32,5.6.7.156/32,5.6.7.157/32. This will change this weekend when
I put them on a Cisco switch and I will be configuring the switch to span
all ports that are active on the internet to the port that interface 2 is
connected to.

Now when I send a Syn scan from nmap on a foreign system (in other words
this is for one of out clients and I am running nmap from my office) I
eventually registered 1 of the dozen or so scans I sent the way of the
snort device. It caught nothing on the scans that I sent to 5.6.7.157.

I will post any differences I might see when I move this to the switch.


Carlos

> I guess I need to better understand the net config to which your
> interfaceless NIC is attached and the net config where the ACID console is
> attached.  Are you switched?  Have you used a tap?  How exactly is it that
> Snort can see all of the traffic?
>
> Your snort.conf specifies two net blocks as your HOME_NET (var HOME_NET
> [1.2.3.190/28,5.6.7.0/24]).  Which net block is Snort listening on?  Which
> net block contains the other IP devices you're trying to watch?
>
> You also stated "I am now able to see portscans going to the IP address of
> the snort device", but you also said that the second NIC in the Snort
> device
> is interface-less.
>
> So what other details can you give us?  It sounds like something in the
> net
> config is not matching up.
>
>
> - Christopher
>
> P.S. As a FYI, Snort understands BFP filters in the same way that WinDump
> does.





More information about the Snort-users mailing list