Snort mailing list archives
Re: Configuration issue, Part II
From: Erek Adams <erek () theadamsfamily net>
Date: Sun, 23 Sep 2001 23:23:59 -0700 (PDT)
On Sun, 23 Sep 2001, DJDave Sobel wrote:
First off, thanks to everyone who's lended a hand -- I do appreciate it. Let me know where to send the coffee and/or beer...
:)
Now, to save bandwidth, I compiled my answers to everyone's questions into this one email. :) Thus, those not interested only need ignore one message. First off, to answer Erik Adams (erek () theadamsfamily net): Tell me where to send your beer... Snort is located on my Linux router, so it's on a machine with 6 network interfaces. Two are connected to the Internet, and four are to the internal networks. I use ipchains to block various unfriendly traffic, and control who can see
Ahhhh.... I think I see a possible problem! Have a look at this: http://snort.sourcefire.com/docs/faq.html#4.3 Basically, snort sits 'behind' the ipchains and ipf programs. They see the packets before snort does. If you've got things setup to drop/deny packets that you are expecting to see with snort, then you won't.
who, but all traffic passes across this machine. All the interfaces have been put into PROMISC mode (as I believed snort needed this). It's placement on this machine would make me think it can see everything that goes in and out of the network.
As well it should.
It CAN see some traffic -- it does happily report on things it sees internally, such as samba communications and nameserver communications within the network. Additionally, it does seem to report occasional things from the outside. I performed this test, per your instructions: snort -dv host <webserver_IP> Snort displayed a great deal about communications going on within the network. However, only things within the network for the time I watched. I then went to route-server.cerf.net and pinged the same webserver -- it did NOT report anything.
Odd. Depending on your firewall rules, this might be expected. Unless you are blocking packets, you should see the ping traffic in the snort window. [...snip...]
Now, John Berkers (berjo () ozemail com au): Where do you want your coffee? As for output plugins, you're right -- I didn't configure any. However, even in this state, snort does log alerts to /var/log/snort/alert and /var/log/snort/portscan.log . I assumed this was the default configuration, and this works for my needs right now. I thought I'd get it working before adding on a mySQL backend and such.
Good idea. Getting ACID up and running is not hard task, it's just got a lot of dependencies.
Is this not a true assumption? If so, cool... if not, then why is it logging to these two files even without me saying so?
True sir! [...snip...] I _really_ don't think it's your configs. Your configs look quite sane to me--Oh wait, I'm not sane.... :) Seriously, they look fine. The only things that were amiss were corrected already. Hold on... You've got 2 external interfaces? When you start snort which interface are you telling it to watch? If you don't specify, it will look at the lowest numbered one. If your traffic is coming in via the other interface, then that would explain it. (Yeah, I could have deleted all that and re-written, but I'm lazy. ;-) Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Configuration issue DJDave Sobel (Sep 22)
- Re: Configuration issue John Sage (Sep 22)
- Re: Configuration issue Brian (Sep 23)
- Configuration issue, Part II DJDave Sobel (Sep 23)
- Re: Configuration issue, Part II Erek Adams (Sep 23)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- Re: Configuration issue, Part II Chris Keladis (Sep 24)
- -i switch Matthew Francis (Sep 24)
- Re: Configuration issue, Part II Chris Keladis (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- Configuration issue, Part II DJDave Sobel (Sep 23)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- Re: Configuration issue, Part II Greg Sarsons (Sep 24)