[Snort-users] Still trying to build this box

Jim Turner JTurner at ...16132...
Tue Mar 12 15:31:25 EDT 2013


Assuming I have Snort working properly on this Windows 7 box, how do I connect it to he network?

I have the box configured as 192.168.x.81.  Do I need to use a mirrored port on my network switch?
Sent from my iPhone

On Mar 12, 2013, at 12:54 PM, "waldo kitty" <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>> wrote:

On 3/12/2013 10:55, Jim Turner wrote:
> Hello Waldo Kitty,
>
> I watched a youtube video where the guy was able to test his logging by pinging
> websites.

okay...

> Is this no longer an activity that can be logged?

it can be if you have rules for such traffic and they are enabled as well as
looking on the proper interface...

> I suspect that I have successfully installed Snort. I would like to know if it
> is working before I deploy the box on a network.
>
> Is there any way to verify that everything is working perfectly?

not everything but... ;)

what some blogs and helpers recommend is to create a local.rules file and then
create a rule in there that will alert on everything... make sure that
local.rules is included in your snort.conf and that it is with your other rules
files with the proper permissions... then restart snort... the "catch
everything" rules would be something like these...


alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound";
sid:1; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound";
sid:2; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; sid:3;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; sid:4;
rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; sid:5;
rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; sid:6;
rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; sid:7;
rev:1;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; sid:8;
rev:1;)


"any" used to be allowed as a protocol but when i tested it just now with snort
2.9.3.1, it didn't like it at all...

you'll want to disable these as soon as possible and restart snort ;)


> *From:*waldo kitty [mailto:wkitty42 at ...14940...]
> *Sent:* Tuesday, March 12, 2013 11:51 AM
> *To:* snort-users at lists.sourceforge.net<mailto:snort-users at ...2987...rge.net>
> *Subject:* Re: [Snort-users] Still trying to build this box
>
> On 3/12/2013 09:03, Jim Turner wrote:
> > I have made progress since last night. Snort is now starting and not erroring on
> > the rules. I accomplished this by uninstalling and starting all over again. Now
> > I am just unable to log any of the data.
>
> what are you expecting to log? snort will only log traffic that creates
> alerts... regular/normal traffic should not create alerts... it only ran for 90
> seconds...



------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130312/3d2b9669/attachment.html>


More information about the Snort-users mailing list