[Snort-users] (no subject)
WayneTurnquist at ...12076...
Fri Jul 9 12:14:06 EDT 2004
To give some details, we connect to the internet by connecting to the corp. data center along with a bunch of other hospitals. Since security is becoming more of a problem because of all the Viruses/Trojan horses, I decided we need to tighten our side up even tho corp. has firewalls and other security process.
So I want to get snort up and running and to watch for the basic attacks. I don't what to have to constantly twitch the rules because I don't have much time since I'm a one man shop hear at the hospital. Would the standard rules and the options for the rules that come with the installation of snort be good enough or should I turn on some other rules that are disabled in the standard install.
right now I have the router to corp---->hub---->switch, where I have snort and ntop installed in the hub on 2 different pc's
I have a windows 2000 pro with all the updates
I installed snort 2.1.3 and winpcap 3.0
on another win2000 pro I have kiwi syslog running
I'm using the installed rules and conf except for the following changes to the installed conf
var DNS_SERVERS [10.110.101.231/32,10.110.101.233/32]
var SMTP_SERVERS [10.110.101.233/32]
var SNMP_SERVERS [10.110.99.2/32,10.110.99.4/32]
var RULE_PATH d:\ids\snort\rules
output log_tcpdump: tcpdump.log
output alert_syslog: host=10.110.99.4:514, LOG_AUTH LOG_ALERT
I issue the following command at the d:\ids\snor\bin dir
snort -c "d:\ids\snort\etc\snort.conf" -l d:\ids\snort\log -i 1 -d not host 10.250.24.25
it does create the alert.ids and the tcpdump file.
but I'm not getting any syslog msg to the machine running kiwi syslog. I do have another device on the network sending msys to the syslog. so I know it can receive msg's
1)what is going wrong
2)assuming I get this to work, can I have syslog msg's sent to 2 different pc at the same time
The next question.
I want to get up and running quickly. In case of point the not host 10.250.24.25 is a solarwinds at the main corp. data center monitoring some equipment in our network. This seems to work but there is other equipment at corp. that I trust and for now I would like to trust fully and be more restrictive on these machine in the future. So my question is, how can I add, lets say 5 devices from corp. from not generating alerts?
do I create file lets say it is called ty.txt
not host x
not host y
not host z
not host g
not host k
then use the following
snort -c "d:\ids\snort\etc\snort.conf" -l d:\ids\snort\log -I 1 -d -f "c:\ty.txt"
if this is not correct, can some one tell me how to do it correctly
Another issue I noticed while playing around, is that my SNMP severs are generating alerts when they probe the router which is 10.110.101.254 even tho I used the var to declare my snmp pc's. Do I need to added this ip number to the not host file as state above. If not, what am I'm doing wrong
More information about the Snort-users