[Snort-users] Logs

Erek Adams erek at ...950...
Tue Jul 15 12:19:24 EDT 2003

On Tue, 15 Jul 2003, Helder Miguel Rodrigues wrote:

> Hello I have my workstation running snort with no probs.
> My workstation is directly connected to the internet via eth0!
> so I have in my config file:
> var HOME_NET $eth0_ADDRESS
> But in acid it appears  ATTACK RESPONSES 403 and my CHAT MSN messages,
> how can I prevent to log this things?
> I just want to log what came from the internet, not what goes to the
> internet.

Well, one thing that you should always do is _look_ at the rule if it's
firing and you don't think it should.

Since you didn't give the SID's of the rules, I'll have to guess a bit.

[erek at ...6976...]/etc/snort/rules>grep -i "chat msn" *.rules
  chat.rules:alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN
  message"; flow:established; content:"MSG "; depth:4;
  content:"Content-Type\:"; content:"text/plain"; distance:1;
  classtype:misc-activity; sid:540; rev:8;)
[...others snipped...]

Now, notice that there's a bi-directional operator there?  With that rule,
if Snort sees that traffic, it's going to alert.  It doesn't care.  And if
you recall, chat.rules isn't enabled by default.

Now, lets look at the next one.

[erek at ...6976...]/etc/snort/rules>grep -i "attack responses 403" *.rules
   attack-responses.rules:alert tcp $HTTP_SERVERS $HTTP_PORTS ->
   $EXTERNAL_NET any (msg:"ATTACK RESPONSES 403 Forbidden";
   flow:from_server,established; content:"HTTP/1.1 403"; depth:12;
   classtype:attempted-recon; sid:1201; rev:6;)

Now, that's looking at traffic with a source as HTTP_SERVERS going to a
destination of EXTERNAL_NET.  Since HTTP_SERVERS is HOME_NET by default,
then it's going to alert if that traffic/pattern matches.

Snort's working just fine.  It's just not working how you thought it was
going to.

Fixes?  Sure.  Disable the rules, write pass rules, or use a BPF filter.
See the FAQ [0] on 'ignoring traffic'.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://www.snort.org/docs/FAQ.txt

More information about the Snort-users mailing list