[Snort-users] Snort Config W2K

Michael Steele michaels at ...9077...
Mon Jun 2 00:22:08 EDT 2003


Steven,

 

I have the line below and I am logging portscans to MySQL.

 

preprocessor portscan: $HOME_NET 4 3 c:/IDS/Snort/log/portscan.log

 

For whatever reason I see that I have the line below hashed out. I'll check
that out tomorrow.

 

preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 3,
port_limit 5, timeout 120

Cheers...

-Michael Steele
--
 System Engineer / Security Support Technician    
 mailto:michaels at ...9077...   
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: Steven Williams [mailto:Steven.Williams at ...4864...] 
Sent: Sunday, June 01, 2003 11:49 PM
To: 'Michael Steele'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort Config W2K

 

Hi Michael,

 

Love the site and forum, keep up the good work. 

 

Here is my config;

 

preprocessor frag2

preprocessor stream4: detect_scans, disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

preprocessor rpc_decode: 111 32771

preprocessor bo: -nobrute

preprocessor telnet_decode

preprocessor asn1_decode

preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000

preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 3,
port_limit 5, timeout 120

output database: log, mysql, user=XXXX dbname=XXXX host=XXXXX
sensor_name=XXXXXX

output alert_syslog: LOG_AUTH LOG_ALERT 

 

I am running this as a service using Firedaemon, the command line executed
is d:\snort\snort.exe -c d:\snort\snort.conf -l d:\snort\logs -i1

 

Should I add the comments to the preprocessor portscan line, and will this
then log portscans into the Mysql database?

 

I know the portscans are being detected because it fills my W2K Event Logs
full of notifications.

 

Thanks in advance

 

Steve

 

 

Steve Williams

Communications Support Engineer

Computershare Technology Services

Melbourne Australia

steven.williams at ...4864...

+61 3 9235 5651

 

www.computershare.com

 

 

 

-----Original Message-----
From: Michael Steele [mailto:michaels at ...9077...] 
Sent: Monday, June 02, 2003 2:15 PM
To: 'Steven Williams'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort Config W2K

 

Steven,

 

Have you got this line in your snort.conf?

 

preprocessor portscan: $HOME_NET 4 3 d:/IDS/Snort/log/portscan.log

 

Make sure the path exists

 

What is your run line?

 

Are you running it with the '-A fast' ?

 

Have you tried running a vulnerability scanner on your network?

 

Have you got any data in the portscan.log file?

Cheers...

-Michael Steele
--
 System Engineer / Security Support Technician    
 mailto:michaels at ...9077...   
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Steven
Williams
Sent: Sunday, June 01, 2003 8:04 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort Config W2K

 

Hi,

 

I have Snort 2.0 running on W2K and works great.

 

However, any portscans detected and logged into the event log and not the
MySQL database. All the other alerts log into Mysql fine.

 

What am I doing wrong?

 

Thanks

 

Steve

 

Steve Williams

Communications Support Engineer

Computershare Technology Services

Melbourne Australia

 <mailto:steven.williams at ...4864...>
steven.williams at ...4864...

+61 3 9235 5651

 

 <http://www.computershare.com> www.computershare.com

 

 

 

 



---
This email and any files transmitted with it are solely intended for the use
of the addressee(s) and may contain information that is confidential and
privileged. If you receive this email in error, please advise us by return
email immediately. Please also disregard the contents of the email, delete
it and destroy any copies immediately.
Computershare Limited and its subsidiaries do not accept liability for the
views expressed in the email or for the consequences of any computer viruses
that may be transmitted with this email.
This email is also subject to copyright. No part of it should be reproduced,
adapted or transmitted without the written consent of the copyright owner.



---
This email and any files transmitted with it are solely intended for the use
of the addressee(s) and may contain information that is confidential and
privileged. If you receive this email in error, please advise us by return
email immediately. Please also disregard the contents of the email, delete
it and destroy any copies immediately.
Computershare Limited and its subsidiaries do not accept liability for the
views expressed in the email or for the consequences of any computer viruses
that may be transmitted with this email.
This email is also subject to copyright. No part of it should be reproduced,
adapted or transmitted without the written consent of the copyright owner.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030602/e4f4bc16/attachment.html>


More information about the Snort-users mailing list