[Snort-users] (no subject)
patrick.harper at ...11593...
Fri Jul 9 12:48:06 EDT 2004
They have several spyware (and other) rules at www.bleedingsnort.com
From: Turnquist,Wayne [mailto:WayneTurnquist at ...12076...]
Sent: Friday, July 09, 2004 2:14 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] (no subject)
To give some details, we connect to the internet by connecting to the corp. data center along with a bunch of other hospitals. Since security is becoming more of a problem because of all the Viruses/Trojan horses, I decided we need to tighten our side up even tho corp. has firewalls and other security process.
So I want to get snort up and running and to watch for the basic attacks. I don't what to have to constantly twitch the rules because I don't have much time since I'm a one man shop hear at the hospital. Would the standard rules and the options for the rules that come with the installation of snort be good enough or should I turn on some other rules that are disabled in the standard install.
right now I have the router to corp---->hub---->switch, where I have snort and ntop installed in the hub on 2 different pc's
I have a windows 2000 pro with all the updates I installed snort 2.1.3 and winpcap 3.0
on another win2000 pro I have kiwi syslog running
I'm using the installed rules and conf except for the following changes to the installed conf
var DNS_SERVERS [10.110.101.231/32,10.110.101.233/32]
var SMTP_SERVERS [10.110.101.233/32]
var SNMP_SERVERS [10.110.99.2/32,10.110.99.4/32] var RULE_PATH d:\ids\snort\rules output log_tcpdump: tcpdump.log output alert_syslog: host=10.110.99.4:514, LOG_AUTH LOG_ALERT
I issue the following command at the d:\ids\snor\bin dir snort -c "d:\ids\snort\etc\snort.conf" -l d:\ids\snort\log -i 1 -d not host 10.250.24.25
it does create the alert.ids and the tcpdump file.
but I'm not getting any syslog msg to the machine running kiwi syslog. I do have another device on the network sending msys to the syslog. so I know it can receive msg's
1)what is going wrong
2)assuming I get this to work, can I have syslog msg's sent to 2 different pc at the same time
The next question.
I want to get up and running quickly. In case of point the not host 10.250.24.25 is a solarwinds at the main corp. data center monitoring some equipment in our network. This seems to work but there is other equipment at corp. that I trust and for now I would like to trust fully and be more restrictive on these machine in the future. So my question is, how can I add, lets say 5 devices from corp. from not generating alerts?
do I create file lets say it is called ty.txt not host x not host y not host z not host g not host k
then use the following
snort -c "d:\ids\snort\etc\snort.conf" -l d:\ids\snort\log -I 1 -d -f "c:\ty.txt"
if this is not correct, can some one tell me how to do it correctly
Another issue I noticed while playing around, is that my SNMP severs are generating alerts when they probe the router which is 10.110.101.254 even tho I used the var to declare my snmp pc's. Do I need to added this ip number to the not host file as state above. If not, what am I'm doing wrong
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately.
More information about the Snort-users