Snort mailing list archives
Re: My settings and output of 3 test on snort, is this normal?
From: Bamm Visscher <bamm () satx rr com>
Date: Thu, 6 Mar 2003 07:42:46 -0600
1) You don't appear to have a portscan preprocessor enabled. 2) You must use the 'alert' facility with your DB output in order for portscan alerts to get loaded. 3) Please read the documentation and the FAQ. Really. Please. Bammkkkk On Thu, Mar 06, 2003 at 02:58:21AM -0800, mike Hughes wrote:
Hey Guys, I got SNORT up and running :)))))I just have been playing around with it and running some test: i will give you my LAYOUT first of my network and my snort.conf file. ***1 FIREWALL(IPTABLES"DEFAULT POLICY SET TO DROP")Connected to the internet + running SNORT on it + DNS Server for my LAN*** ***And behind that machine i have 2 windows computers on my LAN*** INTERNET--->FIREWALL(SNORT)---->LAN First just to see if it was working properly i pinged the firewall machine from a machine on a different network with the SIZE set to 65500 and SNORT picked it up :) 1>But then i went to www.GRC.com and PROBED my PORTS from a windows machine on the LAN and my FIREWALL machine and SNORT DIDNT pick that up? 2>Then i ran "NMAP -sS -P0 -v -p 1-1024 111.111.111.111" from a machine on a differnt network and i got like "10-15 alerts" like this in "TCP ICMP" but nothing in "portscan" 3>Somehting like 5 each of these is this normal for a acan like that??? SNMP request tcp SNMP trap tcp SNMP AgentX/tcp request var HOME_NET any var EXTERNAL_NET $eth0_ADDRESS var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] preprocessor frag2 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000 output database: log, mysql, user=snort password=:) dbname=snort host=127.0.0.1
------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- My settings and output of 3 test on snort, is this normal? mike Hughes (Mar 06)
- Re: My settings and output of 3 test on snort, is this normal? Bamm Visscher (Mar 06)
- <Possible follow-ups>
- Re: My settings and output of 3 test on snort, is this normal? mike Hughes (Mar 06)
- Re: My settings and output of 3 test on snort, is this normal? Erek Adams (Mar 06)
- Re: My settings and output of 3 test on snort, is this normal? Nigel Houghton (Mar 10)