[Snort-users] Help with a config file please?

L. Christopher Luther CLuther at ...6333...
Fri Apr 4 16:41:04 EST 2003


Let me try to translate my interpretation of your net config:  You want to
place the NIDS between the Internet connection and the firewall.  Yes?  If
so, then if you really desire a stealth NIDS, then the interface 1 (I1)
shouldn't be plugged into the promiscuous hub.  I1 should be "dropped" into
your LAN, behind the firewall.  A minor point, but one to remember down the

Actually, something just rung a bell as I'm writing this.  I have two
Sensors: one WinNT4 w/ Snort 1.9.0 and WinPCap 2.2, and one Win2K w/ Snort
1.8.7 and WinPCap 2.3.  Originally, both sensors were Snort 1.8.7, but when
I attempted to upgrade the Win2K sensor to 1.9.0, I couldn't get 1.9.0 to
alert to any traffic.  [kick, kick, kick...]  Check out this post:  


I never got an answer to my problem, hence the Win2K sensor is still at
1.8.7.  Maybe you're a victim too...  

Let us know what happens when you drop the switch in place.  

- Christopher 

-----Original Message-----
From: snort at ...8664... [mailto:snort at ...8664...]
Sent: Friday, April 04, 2003 6:22 PM
To: L. Christopher Luther
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] Help with a config file please?

Ok here is the output of snort -v -W (this is exactly as it appears in the
command prompt - I am not sure why interface 1 has 2 spaces before the
\Device call and interface 2 only has 1 such space).

C:\Snort\bin>snort -v -W

-*> Snort! <*-
Version 1.9.1-ODBC-MySQL-WIN32 (Build 231)
By Martin Roesch (roesch at ...1935..., www.snort.org)
1.7-WIN32 Port By Michael Davis (mike at ...92...,
1.8-1.9 WIN32 Port By Chris Reid (chris.reid at ...3029...)

Interface       Device          Description
1  \Device\NPF_{08C75D44-F35D-4120-84F5-F594F8590373} (Intel(R) PRO Adapter)
2 \Device\NPF_{E9AC5F02-E2A8-487B-B667-F79762A9DF92} (3Com EtherLink PCI)

Now - Interface 1 is bound to IP address that subnet has a mask
of /28 - Eventually I will care about the whole subnet because
servers/services will go up on them but right now the only active IP on
that subnet is the snort device. Now I also care about because
in that subnet I have 3 IP addresses that are active (.155, .156 and
.157). I will eventually narrow the scope of HOME_NET down to
So that leaves interface 2 with just a connection to the hub. Interface 2
has no protocols bound to it with the intent of having a port that just
sits there and listens to traffic. When I run snort -v -i2 I see all sorts
of stuff streaming in the window - it goes way too fast (BTW thanks for
the info about snort following BFP like windump I'll use that to narrow
things down this weekend.).

This is all being fed from a connection to the internet via a Cisco
Aironet wireless radio (out connection to the internet is wireless). The
Ethernet port of that radio goes into a simple 5 port hub. Both of the
snort device interfaces are connected to this hub and so is the firewall
that houses the servers that are running on,, This will change this weekend when
I put them on a Cisco switch and I will be configuring the switch to span
all ports that are active on the internet to the port that interface 2 is
connected to.

Now when I send a Syn scan from nmap on a foreign system (in other words
this is for one of out clients and I am running nmap from my office) I
eventually registered 1 of the dozen or so scans I sent the way of the
snort device. It caught nothing on the scans that I sent to

I will post any differences I might see when I move this to the switch.


> I guess I need to better understand the net config to which your
> interfaceless NIC is attached and the net config where the ACID console is
> attached.  Are you switched?  Have you used a tap?  How exactly is it that
> Snort can see all of the traffic?
> Your snort.conf specifies two net blocks as your HOME_NET (var HOME_NET
> [,]).  Which net block is Snort listening on?  Which
> net block contains the other IP devices you're trying to watch?
> You also stated "I am now able to see portscans going to the IP address of
> the snort device", but you also said that the second NIC in the Snort
> device
> is interface-less.
> So what other details can you give us?  It sounds like something in the
> net
> config is not matching up.
> - Christopher
> P.S. As a FYI, Snort understands BFP filters in the same way that WinDump
> does.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030404/3d1cdf51/attachment.html>

More information about the Snort-users mailing list