Snort mailing list archives
Interpreting logs
From: "Migus, Adam" <Adam_Migus () NAI com>
Date: Thu, 19 Jul 2001 09:25:05 -0700
I am running snort on my FreeBSD/ipfw/natd firewall as shown: /usr/local/bin/snort -D -Afull -i ed1 -c snort.conf ed1 is my external interface. here is a diff of my snort.conf and the original gateway# diff snort.conf snort.conf.orig 36d35 < var HOME_NET $ed1_ADDRESS 253d251 < var SPADEDIR /var/log/snort/spade 255c253 < preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000 ---
# preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
260c258 < preprocessor spade-homenet: 0.0.0.0/0 ---
# preprocessor spade-homenet: 0.0.0.0/0
268c266 < preprocessor spade-adapt3: 0.01 60 168 ---
# preprocessor spade-adapt3: 0.01 60 168
276c274 < preprocessor spade-threshlearn: 200 24 ---
#preprocessor spade-threshlearn: 200 24
278c276 < preprocessor spade-survey: $SPADEDIR/survey.txt 60 ---
#preprocessor spade-survey: $SPADEDIR/survey.txt 60
280c278 < preprocessor spade-stats: entropy uncondprob condprob ---
#preprocessor spade-stats: entropy uncondprob condprob
288c286 < preprocessor arpspoof ---
# preprocessor arpspoof
gateway# I have a few questions on the log messages below that I'm hoping someone can explain. [**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 24.249.235.55 (THRESHOLD 4 connections exceeded in 3 seconds) [**] 07/19-03:01:48.093228 [**] [100:2:1] spp_portscan: portscan status from 24.249.235.55: 5 connections across 5 hosts: TCP(5), UDP(0) [**] 07/19-03:02:52.086670 These first two entries are taken from /var/log/snort/alert. They should port scan messages from the ip address of my external interface (ed1). Why is it telling me this? [**] spp_anomsensor: Anomaly threshold exceeded: 6.0893 [**] 07/19-05:25:37.765846 24.249.235.55:4778 -> 64.94.89.146:80 TCP TTL:127 TOS:0x0 ID:56422 IpLen:20 DgmLen:48 DF ******S* Seq: 0xBE1604FD Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK This entry is also taken from my /var/log/snort/alert. It is complaining about an ordinary connection to the http port of a random site I visited. Why? Jul 19 05:22:37 24.249.235.55:1310 -> 24.3.0.36:53 UDP Jul 19 05:23:27 24.249.235.55:41757 -> 198.165.106.2:110 SYN ******S* This entry is taken from /var/log/snort/portscan.log. These as well are ordinary client connections to an external DNS and POP server I use. How do I interpret this? How do I make snort stop complaining about these routine connections and only tell me when I have a legitimate attack happening... Thanks Adam _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Interpreting logs Migus, Adam (Jul 19)
- Re: Interpreting logs Ralf Hildebrandt (Jul 19)
- <Possible follow-ups>
- RE: Interpreting logs Migus, Adam (Jul 20)