Re: real basic starter rules

[Phil Wood <cpw () lanl gov>]

On Wed, Apr 24, 2002 at 06:53:39PM -0700, Harry Putnam wrote:
> I'm having a rough time getting started with snort.
> Just installed the latest 8.6 from source.  Had no problems with
> build.
>
> But now reading the Users Manual and trying to put together just some
> simple stuff to see what things do what.
>
> Maybe some examples I've taken direct from the Manual but edited in
> various ways will be the quickest way for any prospective poster to
> see what I'm screwing up.
>
> I always seem to have more than my share of trouble learning new apps
> so I've come to believe its a builtin operator problem on my end so
> please bear with me as I pose possibly old worn out questions.
>
> After running some of the command lines from the first section of
> manual I decided to push on to the next section about using the
> snort.conf file.
>
> A few of the things I tried after reading some of it seemed not to do
> what I understood they should:
>
> 1) The bidirectional example caught my attention.
>     log !192.168.1.0/24 any <> 192.168.1.0/24 23 
>  Only I couldn't see why the NOT (!)  operator was in there.

First, fix the rule.  You did not have a protocol specified after the 'log'.

Then think of 192.168.1.0 as host A and !192.168.1.0 as NOT A (lets call him B).
Then the rule above will log the following:

    B(any port) to A(telnet[23] port)

and

    A(telnet port) to B(any port)

Basically, it will log both traffic to and from the telnet daemon* on A.

Unless you are someone like DoubleClick who listens to http on port 23.

> The discussion indicates it is supposed to capture both sides of the
> conversation. 
>
> Editing a little, I set the numbers to reflect my setup and changed
> the port number to 21 (ftp)
>
> So with cat /usr/local/etc/snort.conf
>    log !192.168.0.0/24 any <> 192.168.0.0/24 21 
>
> And having created the following directory: /var/log/snort/tests.
>    ls -ld /var/log/snort/tests
>    drwxr-xr-x 2 root root 4096 Apr 24 17:15 /var/log/snort/tests
>
> Using this command line:
>
>    snort -dev -l /var/log/snort/tests -c /usr/local/etc/snort.conf
>
> I get these results:
>     root # snort -dev -l /var/log/snort/tests -c /usr/local/etc/snort.conf
>    Log directory = /var/log/snort/tests
>    
>    Initializing Network Interface eth0
>    
>            --== Initializing Snort ==--
>    Decoding Ethernet on interface eth0
>    Initializing Preprocessors!
>    Initializing Plug-ins!
>    Initializating Output Plugins!
>    Parsing Rules file /usr/local/etc/snort.conf
>    
>    +++++++++++++++++++++++++++++++++++++++++++++++++++
>    Initializing rule chains...
>    ERROR /usr/local/etc/snort.conf (1): Bad rule in rules file
>    Fatal Error, Quitting..

Re check snort.conf line 1 or send to me.  It is a bad rule, believe the
program, re-check.  Did you really insert the protocol (tcp).

> Fails completely.
>
> After trying quite a few edited versions with no better success, I
> moved on to some other experiments
>
> I thought maybe being more specific would let me see what I'm doing wrong:
> cat /usr/local/etc/snort.conf
>
>    log tcp any any ->  128.111.24.43 21

This rule will only give you traffic to port 21.  You will not get both to and
from host 128.111.24.43:21.

> command line
> snort -dev -l /var/log/snort/tests -c /usr/local/etc/snort.conf
I think you are in what Marty calls 

  3.0 PACKET LOGGER MODE' (Please take another look at the file USAGE)

and then move down to

  4.0 NETWORK INTRUSION DETECTION MODE

> This time I see the traffic when I run and ftp session in another
> xterm.  But also pinging the address shows the traffic to.  But it
> doesn't get logged so I guess I'm supposed to see any traffic but only
> log the stuff on port 21.
>
> And sure enough, I get a log file with a directory named with my local address
> is:
>    ls ./192.168.0.5/TCP:3336-21
> Showing the traffic.  But I can't tell if I'm getting both sides.  I
> think not.
You bet.
> Now I'm getting closer at least but I really wan't to narrow it down
> to a single machine on the network
> trying:
>
>   log tcp 192.168.0.6 any ->  128.111.24.43 21

Let's just stop the foo.


Do this:

  echo  'log tcp !128.111.24.43 any <> 128.111.24.43 21' > snort.conf
  rm -rf log
  mkdir log
  snort -d -l log -c snort.conf

Then run your ftp to 128.111.24.43 and quit.

Then break out of the snort process.

Then:

  cd log 

and cd to the directory that has the address of your client
which better not be 128.111.24.43, and look in the file:

  TCP:xxxxx-21  (where xxxxx is the source port from the ftp
                 client)

If you don't see massive quanties of ftp foo going both ways.

Now, did you know that ftp (port 21) is only used for commands
and not ftp data.  So, you won't see any ftpdata in the file, just
the tcp handshake, any ftp protocol exchanges, and finally the
FIN exchange.

> Fire up an ftp session from 192.168.0.6 to 128.111.24.43
> I don't see any of this traffic.  I do see all kinds of other guff
> going by but not that ftp session.
You shouldn't see any other guff unless you have more rules besides just
the one we have been discussing.
> What is my error above.  How can I track an ftp session from machine 
>  192.168.0.6 to  128.111.24.43 21 or any other client/server pair?
Try it again.  
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users