[Snort-users] snort not catching all hosts

Koski, Brian bkoski at ...11988...
Wed Jul 14 09:08:56 EDT 2004


Problem: Snort does not capture events to one of my servers, both in
HOME_NET and also added as variables in DMZ_SERVERS; it used to log
events to target 172.16.3.14; however I see attemps in the URL logs and
recently had a hack attempt I just happened to notice via other means
(snort was silent on this). Any ideas? Do I need some custom rules?

I am currently running Snort 2.1.3 on XP (started with Snort 2.0.1). I
am capturing traffic that gets past firewall to the DMZ hosts, which are
defined in config:

var HOME_NET [172.16.3.0/24]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS [172.16.3.13,172.16.3.14]
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
64.12.161.0/24,64.12.163.0/24,20
5.188.5.0/24,205.188.9.0/24]
var DMZ_SERVERS [172.16.3.10,172.16.3.13,172.16.3.14]
var RULE_PATH ../rules

---
Some history - snort had stopped logging altogther a while back until I
upgraded to 2.1.1, but I notice since then I only get alerts to
172.16.3.13 and no longer for host.14. BTW, I got the interface off the
Cisco switch a while ago because there were 'issues'.



City of Citrus Heights
This e-mail message contains information belonging to the City of Citrus Heights, which may be privileged, confidential and/or protected from disclosure.  The information is intended only for use of the individual or entity named.  Unauthorized dissemination, distribution, or copying is strictly prohibited. If you received this email in error, or are not an intended recipient, please notify the sender immediately. Thank you for your cooperation.






More information about the Snort-users mailing list