[Snort-users] Problem with Snort-inline

aravind babu aravindforsnort at ...5176...
Mon Feb 9 05:23:10 EST 2004


Hi all,
 
     I am using Snort-inline version 2.0.2(Build 92) .My snort_inline.conf is below:I started snort-inline with the options below.
 
./snort_inline -Qvc ./snort_inline.conf -l ./tmp
  
 
#
# Honeynet snort_inline configuration file
# Version 0.4
# Last modified 29 March, 2003
#
# Standard Snort configuration file modified for inline
# use.  Most preprocessors currently do not work in inline
# mode, as such they are not included.
#
### Network variables
var HONEYNET 172.30.180.0/24 
var EXTERNAL_NET any
### Ports variables
var SHELLCODE_PORTS !80
var HTTP_PORTS 80
var ORACLE_PORTS 1521
### Let's make sure we don't let bad packets out simply cause
### they have bad checksums.  If this is not here, packets with
### bad checksums could get out.
config checksum_mode: none

### Preprocessors
# usage guidelines:  if the plugin normalizes the packet so that the 
# detection engine can better interpret the data, the plugin can be 
# used with the snort_inline safely.  If the plugin itself makes 
# the alert decisions, then we have to modify it to drop packets.
# Many false positives
# preprocessor fnord
# Done by IPTables
# preprocessor frag2
# preprocessor portscan
# Not yet modified for snort_inline
# preprocessor stream4: detect_scans
# preprocessor stream4_reassemble
# preprocessor asn1_decode
# Enabled
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor telnet_decode
preprocessor bo: -nobrute
preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000
### Logging alerts of outbound attacks
output alert_full: snort_inline-full
output alert_fast: snort_inline-fast
### If you want to log the contents of the dropped packets, remove comment
#output log_tcpdump: tcpdump.log
### Rules found in local directory
var RULE_PATH /tmp
### Include classification & reference
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
### The Drop Rules
# Enabled
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/nntp.rules
### Disabled
# include $RULE_PATH/other-ids.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
# include $RULE_PATH/experimental.rules
# include $RULE_PATH/local.rules
# include $RULE_PATH/bad-traffic.rules
# include $RULE_PATH/attack-responses.rules
# include $RULE_PATH/scan.rules
# include $RULE_PATH/misc.rules

 
My setup is like this :
 
 
  NESSUS                 SNORT-INLINE                   TARGET MACHINE
<10.1.10.1>------<10.1.10.2    172.30.180.212>------<172.30.180.99>
 
I am running Nessus on 10.1.10.1 with all checks enabled.After starting nessus snort-inline is not detecting any packet after getting the following packet.
 
02/09-17:05:00.360000 10.1.10.1:33771 -> 172.30.180.99:69
PROTO017 TTL:63 TOS:0x0 ID:4896 IpLen:20 DgmLen:50 DF
Len: 22
 
 
I tried for 4 times but the same situation happens. Why is not detecting any thing after getting the above packet?Also packets are not logging in /tmp directory?
 
Thanks in advance,
Aravind.

Yahoo! India Education Special: Study in the UK now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040209/800b6e41/attachment.html>


More information about the Snort-users mailing list