[Snort-users] Alerts generated by hosts on which snort is runnung

Russ Starr russ.starr at ...11827...
Wed Sep 14 21:37:16 EDT 2005


It sounds like you are using NAT/PAT on your external interface going
to the Internet... am I right?  If this is the case, it may look like
connections are coming from you firewall when they are really
originating from internal hosts.  When you are running snort on eth1,
it can only see addresses that a node on that segment can see.  In
your case, any thing sitting out on eth1 doesn't know about your
internal addressing scheme.  So, they only see the identity of your
external IP address, which in Linux terms is "masquerading" itself as
your public IP.

You might consider running an instance of snort for each network
interface.  This allows you to define different "policies" on each
segment.  A policy in this case meaning which rules you are paying
attention to for a given interface.  You may also choose to ignore a
number of rules because they create false positives in your
environment.

And yes, you should use BASE instead of ACID.

Good luck,

-Russ

On 9/14/05, Briggs, Bruce <Bruce.Briggs at ...13183...> wrote:
> Are you sure that eth1/snort interface being checked is the WAN port???
> Sound like maybe not.
> 
> Also, check out BASE instead of ACID.
> ACID is no longer being improved, while BASE is a fork of ACID and is
> being improved.
> http://sourceforge.net/projects/secureideas/
> 
> Bruce.
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Marcin
> Sura
> Sent: Wednesday, September 14, 2005 6:25 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Alerts generated by hosts on which snort is
> runnung
> 
> Hi
> 
>   At the beginning little description of my situation. I have linux
>   box with two interfaces. Eth0 - lan, eth1 - wan. I want snort to
>   watch attack only from the WAN.
> 
>   I set up snort with definitions like below (in snort.conf):
> 
>   var HOME_NET 83.17.xxx.xxx/30    # (my public subnetwork: my ip, ip
>   of DSL modem, network address and broadcast)
> 
>   var EXTERNAL_NET !$HOME_NET
> 
>   var SMTP_SERVERS 83.17.xxx.xxx
>   var HTTP_SERVERS 83.17.xxx.xxx
>   ...
>   (rest of the conf file is, i think, default, without any strange
>   modifications)
> 
>   I start snort to listen on eth1.
> 
>   The problem is, that when i'm inspecting ACID i see my own server as
>   a source of many "attacks", port scans, etc. Destinations of "these"
>   attack are often normal www sites, which lan users visits every day.
> 
>   And this is my problem. How to set up these variables, so my snort
>   will detect only real attacks? FROM internet to my server, NOT form
>   my server to internet :)
> 
> --
> Pozdrawiam
> Marcin, slacklist at ...9735...
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server.
> Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?listsnort-users
>




More information about the Snort-users mailing list