[Snort-users] (no subject)

Turnquist,Wayne WayneTurnquist at ...12076...
Fri Jul 9 12:14:06 EDT 2004


To give some details, we connect to the internet by connecting to the corp. data center along with a bunch of other hospitals. Since security is becoming more of a problem because of all the Viruses/Trojan horses, I decided we need to tighten our side up even tho corp. has firewalls and other security process.

So I want to get snort up and running and to watch for the basic attacks. I don't what to have to constantly twitch the rules because I don't have much time since  I'm a one man shop hear at the hospital. Would the standard rules and the options for the rules that come with the installation of snort be good enough or should I turn on some other rules that are disabled in the standard install.

right now I have the router to corp---->hub---->switch, where I have snort and ntop installed in the hub on 2 different pc's

I have a windows 2000 pro with all the updates
I installed snort 2.1.3 and winpcap 3.0

on another win2000 pro I have kiwi syslog running

I'm using the installed rules and conf except for the following changes to the installed conf

var HOME_NET[10.110.96.0/24,10.110.97.0/24,10.110.99.0/24,10.110.100.0/23,10.110.102.0/24,10.110.106.0/24,10.1.1.0/24]

var DNS_SERVERS [10.110.101.231/32,10.110.101.233/32]
var SMTP_SERVERS [10.110.101.233/32]
var SNMP_SERVERS [10.110.99.2/32,10.110.99.4/32]
var RULE_PATH d:\ids\snort\rules
output log_tcpdump: tcpdump.log
output alert_syslog: host=10.110.99.4:514, LOG_AUTH LOG_ALERT


I issue the following command at the d:\ids\snor\bin dir
snort -c "d:\ids\snort\etc\snort.conf" -l d:\ids\snort\log -i 1 -d not host 10.250.24.25

it does create the alert.ids and the tcpdump file.
but I'm not getting any syslog msg to the machine running kiwi syslog. I do have another device on the network sending msys to the syslog. so I know it can receive msg's

1)what is going wrong
2)assuming I get this to work, can I have syslog msg's sent to 2 different pc at the same time
--------------------------------------------------------------

The next question.

I want to get up and running quickly.  In case of point the not host 10.250.24.25 is a solarwinds at the main corp. data center monitoring some equipment in our network.  This seems to work but there is other equipment at corp. that I trust and for now I would like to trust fully and be more restrictive on these machine in the future. So my question is, how can I add, lets say 5 devices from corp. from not generating alerts?

do I create file lets say it is called ty.txt
not host x
not host y
not host z
not host g
not host k

then use the following
snort -c "d:\ids\snort\etc\snort.conf" -l d:\ids\snort\log -I 1 -d -f  "c:\ty.txt"

if this is not correct, can some one tell me how to do it correctly


Another issue I noticed while playing around, is that my SNMP severs are generating alerts when they probe the router which is 10.110.101.254 even tho I used the var to declare my snmp pc's. Do I need to added this ip number to the not host file as state above. If not, what am I'm doing wrong


thank you
wt












More information about the Snort-users mailing list