Snort mailing list archives
win2k/snort and weird output
From: "Rommel, Florian" <Florian.Rommel () quartal com>
Date: Thu, 7 Mar 2002 16:28:24 +0200
Hi all, i run snort on all our web/sql servers that have win2k and on all of them it works fine except 2 of them. Those 2 are running an application level cluster (in house coded) and Apache together with Resin. they both have 2 IPs on interface 1, the snort.conf is here at the bottom that i use. I then use Demarc to see the alerts from the databases, and i double checked in the mysql database but code red requests do not get logged with the source Ip that they actually came from (as recorded in the access.log in apache) they get as the source IP the 1st IP of the interface and as a destination IP the second ip and that gets logged!!! Like i said in other servers (running IIS etc) it works well and all attempts get logged withthe REAL source IP and with the destination IP it was meant for. What to do?... here's my snort.conf of one of the 2 servers, they are both the same except the idsname and the username/passwd .. any help would be appreciated. //Florian ps: the snort.exe is the same as on all other servers. var HOME_NET 192.168.2.0/24 var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS any var SQL_SERVERS [192.168.1.12,192.168.1.14,192.168.1.16] var DNS_SERVERS [192.168.1.2,192.168.1.3] preprocessor frag2 #preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 15 3 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS $SQL_SERVERS output database: log, mysql, user=ids-clust1 dbname=snort host=192.168.1.55 password=XXXX sensor_name=IDS-CLUST1 output database: alert, mysql, user=ids-clust1 dbname=snort host=192.168.1.55 password=XXXX sensor_name=IDS-CLUST1 include classification.config include bad-traffic.rules include dos.rules include ddos.rules include web-cgi.rules include web-coldfusion.rules include web-frontpage.rules include web-iis.rules include web-misc.rules include web-attacks.rules include sql.rules include backdoor.rules _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- win2k/snort and weird output Rommel, Florian (Mar 07)
- Re: win2k/snort and weird output Erek Adams (Mar 07)