[Snort-users] (no subject)

Turnquist,Wayne WayneTurnquist at ...12076...
Fri Jul 9 12:14:06 EDT 2004

To give some details, we connect to the internet by connecting to the corp. data center along with a bunch of other hospitals. Since security is becoming more of a problem because of all the Viruses/Trojan horses, I decided we need to tighten our side up even tho corp. has firewalls and other security process.

So I want to get snort up and running and to watch for the basic attacks. I don't what to have to constantly twitch the rules because I don't have much time since  I'm a one man shop hear at the hospital. Would the standard rules and the options for the rules that come with the installation of snort be good enough or should I turn on some other rules that are disabled in the standard install.

right now I have the router to corp---->hub---->switch, where I have snort and ntop installed in the hub on 2 different pc's

I have a windows 2000 pro with all the updates
I installed snort 2.1.3 and winpcap 3.0

on another win2000 pro I have kiwi syslog running

I'm using the installed rules and conf except for the following changes to the installed conf

var HOME_NET[,,,,,,]

var RULE_PATH d:\ids\snort\rules
output log_tcpdump: tcpdump.log
output alert_syslog: host=, LOG_AUTH LOG_ALERT

I issue the following command at the d:\ids\snor\bin dir
snort -c "d:\ids\snort\etc\snort.conf" -l d:\ids\snort\log -i 1 -d not host

it does create the alert.ids and the tcpdump file.
but I'm not getting any syslog msg to the machine running kiwi syslog. I do have another device on the network sending msys to the syslog. so I know it can receive msg's

1)what is going wrong
2)assuming I get this to work, can I have syslog msg's sent to 2 different pc at the same time

The next question.

I want to get up and running quickly.  In case of point the not host is a solarwinds at the main corp. data center monitoring some equipment in our network.  This seems to work but there is other equipment at corp. that I trust and for now I would like to trust fully and be more restrictive on these machine in the future. So my question is, how can I add, lets say 5 devices from corp. from not generating alerts?

do I create file lets say it is called ty.txt
not host x
not host y
not host z
not host g
not host k

then use the following
snort -c "d:\ids\snort\etc\snort.conf" -l d:\ids\snort\log -I 1 -d -f  "c:\ty.txt"

if this is not correct, can some one tell me how to do it correctly

Another issue I noticed while playing around, is that my SNMP severs are generating alerts when they probe the router which is even tho I used the var to declare my snmp pc's. Do I need to added this ip number to the not host file as state above. If not, what am I'm doing wrong

thank you

More information about the Snort-users mailing list