[Snort-users] snort alerts

Bala Ayres baayres at ...9090...
Tue Feb 17 10:27:11 EST 2004


Hi all,

I am pretty new to snort and trying to get an grip on
how it works.

My set up is a laptop running snort 21 and an
application client connecting to a server. I think i
configured the attached snort.conf to alert and log to
mysql any activity on port 80 (either way) and on
other ports that were listed from netstat -a.

When i start up snort i get a signature, tcphdr etc.
written out on port 80 but as i use the application
nothing gets registered. It is possible my application
is using a different port and i am not montoring that
port, but i'd think if i spanned all ports given by
netstat at that point in time, snort should be able to
pick up activity of my application. I would expect
that all application client related traffic would be
sent to my laptop 

Please find below the "redalert" section of my
snort.conf. Only thing that registers (logged) is App
15.

Appreciate any help.

# x.x.x obviously have valid octets.

var HOME_NET 10.x.x.x/24 
redalert tcp $HOME_NET any -> $EXTERNAL_NET  1222:1222
\
    (msg: "Application 1"; flags:A+;)
redalert tcp $EXTERNAL_NET any -> $HOME_NET  1222:1222
\
    (msg: "App 2"; flags:A+;)

redalert tcp $HOME_NET any -> $EXTERNAL_NET  1221:1221
\
    (msg: "App 3"; flags:A+;)
redalert tcp $EXTERNAL_NET any -> $HOME_NET  1221:1221
\
    (msg: "App 4"; flags:A+;)

redalert tcp $HOME_NET any -> $EXTERNAL_NET  3306:3306
\
    (msg: "App 5"; flags:A+;)
redalert tcp $EXTERNAL_NET any -> $HOME_NET  3306:3306
\
    (msg: "App 6"; flags:A+;)


redalert tcp $HOME_NET any -> $EXTERNAL_NET  1570:1570
\
    (msg: "App 7"; flags:A+;)
redalert tcp $EXTERNAL_NET any -> $HOME_NET  1570:1570
\
    (msg: "App 8"; flags:A+;)


redalert tcp $HOME_NET any -> $EXTERNAL_NET  1615:1615
\
    (msg: "App 9"; flags:A+;)
redalert tcp $EXTERNAL_NET any -> $HOME_NET  1615:1615
\
    (msg: "App 10"; flags:A+;)

    
    redalert tcp $HOME_NET any -> $EXTERNAL_NET 
1474:1474 \
        (msg: "App 11"; flags:A+;)
    redalert tcp $EXTERNAL_NET any -> $HOME_NET 
1474:1474 \
        (msg: "App 12"; flags:A+;)



redalert tcp $HOME_NET any -> $EXTERNAL_NET  23:23 \
    (msg: "App 13"; flags:A+;)
redalert tcp $EXTERNAL_NET any -> $HOME_NET  23:23 \
    (msg: "App 14"; flags:A+;)


redalert tcp $HOME_NET any -> $EXTERNAL_NET  80:80 \
    (msg: "App 15"; flags:A+;)
redalert tcp $EXTERNAL_NET any -> $HOME_NET  80:80 \
    (msg: "App 16"; flags:A+;)




More information about the Snort-users mailing list