[Snort-users] (no subject)

Kaplan, Andrew H. AHKAPLAN at ...10063...
Wed Nov 5 05:31:34 EST 2003


J.

Thanks for your reply. As to the policy-based.rules file, mine is based on the
template found in the
Snort 2.0 Intrusion Detection book. The approach it uses has the alert lines at
the beginning part of
the file, with the pass rules following. According to the book, it is
appropriate to have the alerts
first, with the pass rules second. However, I will try your approach, and place
the pass rules before
the alerts and see where that gets me.

The server in question is "outside" the firewall such that traffic going to its
port, 80, goes through
a "hole" in the wall. There are switches interposed between the server and the
router. I can contact our
network security team to get more information. 

In response to your inquiry, I am using the book that I mentioned earlier.
However, I am also planning on
purchasing an additional book. My experience with this one has been mixed. I
have tried to use it as much
as possible, but I have already contacted the publisher about one mistake that I
discovered. If the rules 
file approach you suggested does work, I shall be contacting the publisher
again. I am hoping to get ano-
ther book and be able to RTFM.

Thanks again for you suggestions, and I will keep you up to date.



-----Original Message-----
From: J. [mailto:jeruvy at ...9344...]
Sent: Tuesday, November 04, 2003 9:24 AM
To: Kaplan, Andrew H.
Subject: RE: [Snort-users] (no subject)


Are you sure your rule order is the way you want it?

Most pass rules by default are looked at last, hence you would be seeing
this behaviour.

As for not seeing alerts from the internet, I'd say good great, but I
realize you may want to look at this traffic....so what hardware are you
using for your WAN access?

(I also hate to say this, but have you actually read the documentation?
These issues have been discussed and hashed so many times over the years I
am so bored with discussing them.  As well there are some great books on the
subject...)

Note hubs work, switches don't for a rule of thumb.  There are other
solutions but RTFM.

J.



> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Kaplan,
> Andrew H.
> Sent: Tuesday, November 04, 2003 6:10 AM
> To: 'snort-users at lists.sourceforge.net'
> Subject: [Snort-users] (no subject)
>
>
> When writing the policy-based.rules file I had as my first lines
> several lines
> that read as follows:
>
> alert ip any any -> [any,10.10.0.0/24] any
> alert tcp any any -> [any,10.10.0.0/24] any
> alert udp any any -> [any,10.10.0.0/24] any
>
> While these lines were uncommented, I would get an enormous
> amount of alerts
> from the 10.10.0.0 subnet even though subsequent pass rules told
> snort to let
> pass any and all ip, tcp, and udp traffic on any port. Once I
> commented out the
> lines, the alerts dropped down to 0.
>
> Do I need any alert rules at the beginning of the
> policy-based.rules file to
> specify what subnets, in this case any subnet excluding the
> 10.10.0.0 subnet,
> snort should alert me on? If so, what is the correct syntax?
>
> I did include the -o option in the command syntax. FYI syntax as follows:
> 	/usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -o
>
> The location of the policy-based.rules file is /etc/snort
>
> Also, I do not seem to be getting any alerts from traffic coming
> in from the
> Internet. Is that normal?
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?   SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list