[Snort-users] Re: Snort and acid prob!!! Acid not running :(

patrick at ...4250... patrick at ...4250...
Wed Jul 14 14:06:22 EDT 2004


Yes, because of your network configuration you will only see alerts
destined for your snort box or broadcast traffic.  This is a function of
your network gear not snort.  You are on unmanaged switches so you can not
set a span or monitor port.  You can use a tap or a hub inline. or get a
managed switch.  If you have a network engineer around they may be able to
help you

Also, you need 192.168.1.0/24 for your HOME_NET not 192.168.1.0/255
Here is a CIDR cheatsheet
http://www.oav.net/mirrors/cidr.html

to understand the difference check out something like
http://www.duxcw.com/faq/network/hubsw.htm



> hi...i installed CIS and tried entered the snort server host
> name....it generated 100 % TCP and 83 alerts.....is that working
> fine....what do i have to do to those alerts? I mean what is the use
> of getting as huge as 83 alerts?? Will they be generated only when
> somebody tries to access my snort box??
>
>
> On Wed, 14 Jul 2004 17:08:35 +0530, Aparna Mangla
> <aparna.mangla at ...11827...> wrote:
>> also tell me, in the snort.conf file,
>> i wrote
>> 192.168.1.0/255
>> is it correct? it will check the hosts from 192.168.1.0 to
>> 192.168.1.255 ip addresses?
>>
>> On Wed, 14 Jul 2004 06:14:17 -0500, Patrick S. Harper
>>
>>
>> <patrick at ...4250...> wrote:
>> > Then you are not going to get what you want.  You will only see
>> broadcast
>> > traffic and traffic destined for that port on the switch.  Try CIS, it
>> works
>> > under windows and is easier if you do not know Nessus.  Read up on the
>> > nature of switch's and you will see what I mean.  You can use a tap to
>> make
>> > it more effective.
>> >
>> > Patrick S. Harper | CISSP RHCT MCSE
>> > www.internetsecurityguru.com
>> >
>> > www.ntsug.org - Snort Users Group
>> >
>> > "If there is no light at the end of the tunnel, get down there and
>> light the
>> > damn thing yourself!"
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: Aparna Mangla [mailto:aparna.mangla at ...11827...]
>> > Sent: Wednesday, July 14, 2004 6:07 AM
>> > To: Patrick S. Harper
>> > Subject: Re: Snort and acid prob!!! Acid not running :(
>> >
>> > what do you mean by spaning a port? please elaborate.  the switches we
>> use
>> > are self managed switches. they carry no ip addresses. i m trying to
>> figure
>> > out nessus....
>> > Aparna Mangla
>> >
>> > On Wed, 14 Jul 2004 06:06:23 -0500, Patrick S. Harper
>> > <patrick at ...4250...> wrote:
>> > > You are you on a switch, so due to the nature of switched
>> networking,
>> > > you will only see traffic destined for the switch port the snort box
>> > > is on.  Can you span a port?.  Is it all one vlan or are they
>> > > unmanaged switches?  Did you try scanning it (the IP of the snort
>> box)
>> > > with one of the tools I mentioned?
>> > >
>> > > Patrick S. Harper | CISSP RHCT MCSE
>> > > www.internetsecurityguru.com
>> > >
>> > > www.ntsug.org - Snort Users Group
>> > >
>> > > "If there is no light at the end of the tunnel, get down there and
>> > > light the damn thing yourself!"
>> > >
>> > >
>> > >
>> > > -----Original Message-----
>> > > From: Aparna Mangla [mailto:aparna.mangla at ...11827...]
>> > > Sent: Wednesday, July 14, 2004 5:57 AM
>> > > To: Patrick S. Harper
>> > > Subject: Re: Snort and acid prob!!! Acid not running :(
>> > >
>> > > well... we hav one router and 4 switches....i have snort installed
>> on
>> > > my linux box (one among the 50 PCs) and we dont use proxies here.
>> all
>> > > the machines are directly connected.
>> > > hope i gave the right information..
>> > > Now what? :(
>> > > Aparna Mangla
>> > >
>> > > On Wed, 14 Jul 2004 05:52:21 -0500, Patrick S. Harper
>> > > <patrick at ...4250...> wrote:
>> > > > Where is the IDS placed?  Is it on a switch?  If it is, do you
>> have
>> > > > the sniffing interface on a span port?  Were any of the 471
>> packets
>> > > > something that would trigger an alert?  Nope, because it says
>> ALERTS: 0.
>> > > >
>> > > > Download Nessus (www.nessus.org) or CIS
>> > > > (http://www.cerberus-infosec.co.uk/CIS-5.0.02.zip) and scan the
>> > > > interface on the snort box you are sniffing on to test it first to
>> > > > see if you have a problem with placement. I am betting you are on
>> a
>> > > > switch and only seeing broadcast traffic.
>> > > >
>> > > > If you can see the ACID interface then it is running, snort is
>> > > > starting so mysql is running, if you have your output line correct
>> > > > in your snort.conf and your acid_conf.php database lines correct
>> > > > then it is just a matter of your box not seeing any traffic.
>> Where
>> > > > exactly do you have this placed in relation to your 50 PC's?
>> > > >
>> > > > Hope this helps
>> > > >
>> > > > Patrick S. Harper | CISSP RHCT MCSE
>> > > > www.internetsecurityguru.com
>> > > >
>> > > > www.ntsug.org - Snort Users Group
>> > > >
>> > > > "If there is no light at the end of the tunnel, get down there and
>> > > > light the damn thing yourself!"
>> > > >
>> > > >
>> > > >
>> > > > -----Original Message-----
>> > > > From: Aparna Mangla [mailto:aparna.mangla at ...11827...]
>> > > > Sent: Wednesday, July 14, 2004 5:12 AM
>> > > > To: Patrick S. Harper; nwoliver at ...4250...;
>> > > > snort-users at lists.sourceforge.net
>> > > > Subject: Snort and acid prob!!! Acid not running :(
>> > > >
>> > > > hi
>> > > > plz help me urgently.
>> > > >
>> > > > I have installed snort-2.0.2 with acid 0.9.6b23 on redhat 9. I
>> think
>> > > > i followed all the steps correctly. and when i run :
>> > > > snort -c /etc/snort/snort.conf
>> > > > i get the following output at the end:
>> > > >
>> > > > ====================================================================
>> > > > ==
>> > > > ======
>> > > > ===
>> > > > Snort analyzed 471 out of 471 packets, dropping 0(0.000%) packets
>> > > >
>> > > > Breakdown by protocol:                Action Stats:
>> > > >     TCP: 29         (6.157%)          ALERTS: 0
>> > > >     UDP: 208        (44.161%)         LOGGED: 0
>> > > >    ICMP: 89         (18.896%)         PASSED: 0
>> > > >     ARP: 90         (19.108%)
>> > > >   EAPOL: 0          (0.000%)
>> > > >    IPv6: 0          (0.000%)
>> > > >     IPX: 0          (0.000%)
>> > > >   OTHER: 55         (11.677%)
>> > > > DISCARD: 0          (0.000%)
>> > > > ====================================================================
>> > > > ==
>> > > > ======
>> > > > ===
>> > > > Wireless Stats:
>> > > > Breakdown by type:
>> > > >     Management Packets: 0          (0.000%)
>> > > >     Control Packets:    0          (0.000%)
>> > > >     Data Packets:       0          (0.000%)
>> > > > ====================================================================
>> > > > ==
>> > > > ======
>> > > > ===
>> > > > Fragmentation Stats:
>> > > > Fragmented IP Packets: 0          (0.000%)
>> > > >     Fragment Trackers: 0
>> > > >    Rebuilt IP Packets: 0
>> > > >    Frag elements used: 0
>> > > > Discarded(incomplete): 0
>> > > >    Discarded(timeout): 0
>> > > >   Frag2 memory faults: 0
>> > > > ====================================================================
>> > > > ==
>> > > > ======
>> > > > ===
>> > > > TCP Stream Reassembly Stats:
>> > > >         TCP Packets Used: 29         (6.157%)
>> > > >          Stream Trackers: 9
>> > > >           Stream flushes: 0
>> > > >            Segments used: 0
>> > > >    Stream4 Memory Faults: 0
>> > > > ====================================================================
>> > > > ==
>> > > > ======
>> > > > ===
>> > > > database: Closing connection to database "snort"
>> > > > Snort exiting
>> > > >
>> > > > Now...when i start the httpd interface, i get 0 alerts, 0 sensors,
>> 0
>> > > > % UDP, 0% TCP.....as though it is inactive.
>> > > > I am connected on LAN of 50 PCs.
>> > > > Please tell me how to correct it.
>> > > > Hoping for an urgent reply.
>> > > > Thanking you
>> > > > Aparna Mangla
>> > > >
>> > > > ---
>> > > > Incoming mail is certified Virus Free.
>> > > > Checked by AVG anti-virus system (http://www.grisoft.com).
>> > > > Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
>> > > >
>> > > > ---
>> > > > Outgoing mail is certified Virus Free.
>> > > > Checked by AVG anti-virus system (http://www.grisoft.com).
>> > > > Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
>> > > >
>> > > >
>> > >
>> > > ---
>> > > Incoming mail is certified Virus Free.
>> > > Checked by AVG anti-virus system (http://www.grisoft.com).
>> > > Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
>> > >
>> > > ---
>> > > Outgoing mail is certified Virus Free.
>> > > Checked by AVG anti-virus system (http://www.grisoft.com).
>> > > Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
>> > >
>> > >
>> >
>> > ---
>> > Incoming mail is certified Virus Free.
>> > Checked by AVG anti-virus system (http://www.grisoft.com).
>> > Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
>> >
>> > ---
>> > Outgoing mail is certified Virus Free.
>> > Checked by AVG anti-virus system (http://www.grisoft.com).
>> > Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
>> >
>> >
>>
>





More information about the Snort-users mailing list