Snort mailing list archives

Re: My settings and output of 3 test on snort, is this normal?

From: Bamm Visscher <bamm () satx rr com>
Date: Thu, 6 Mar 2003 07:42:46 -0600

1) You don't appear to have a portscan preprocessor enabled.

2) You must use the 'alert' facility with your DB output in order for portscan alerts to get loaded.

3) Please read the documentation and the FAQ. Really. Please.

Bammkkkk


On Thu, Mar 06, 2003 at 02:58:21AM -0800, mike Hughes wrote:

Hey Guys,
I got SNORT up and running :)))))I just have been playing around with it and 
running some test: i will give you my LAYOUT first of my network and my 
snort.conf file.

***1 FIREWALL(IPTABLES"DEFAULT POLICY SET TO DROP")Connected to the internet 
+ running SNORT on it + DNS Server for my LAN***

***And behind that machine i have 2 windows computers on my LAN***
INTERNET--->FIREWALL(SNORT)---->LAN

First just to see if it was working properly i pinged the firewall machine 
from a machine on a different network with the SIZE set to 65500 and SNORT 
picked it up :)

1>But then i went to www.GRC.com and PROBED my PORTS from a windows machine 
on the LAN and my FIREWALL machine and SNORT DIDNT pick that up?

2>Then i ran "NMAP -sS -P0 -v -p 1-1024 111.111.111.111" from a machine on a 
differnt network and i got like "10-15 alerts" like this in "TCP ICMP" but 
nothing in "portscan"

3>Somehting like 5 each of these is this normal for a acan like that???
SNMP request tcp
SNMP trap tcp
SNMP AgentX/tcp request

var HOME_NET any
var EXTERNAL_NET $eth0_ADDRESS
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS 
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode 
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor conversation: allowed_ip_protocols all, timeout 60, 
max_conversations 32000
output database: log, mysql, user=snort password=:) dbname=snort 
host=127.0.0.1



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

My settings and output of 3 test on snort, is this normal? mike Hughes (Mar 06)
- Re: My settings and output of 3 test on snort, is this normal? Bamm Visscher (Mar 06)
- <Possible follow-ups>
- Re: My settings and output of 3 test on snort, is this normal? mike Hughes (Mar 06)
  - Re: My settings and output of 3 test on snort, is this normal? Erek Adams (Mar 06)
  - Re: My settings and output of 3 test on snort, is this normal? Nigel Houghton (Mar 10)