Snort mailing list archives

Previous By Date Next
Previous By Thread Next

using snortcenter agents on multiple interface sensor?

From: "Horta, Benny" <BHorta1 () dadeschools net>
Date: Wed, 14 May 2003 15:36:13 -0400
Is it possible to run the snortcenter agent on a linux with multiple
interfaces being watched by snort?

I have a 4 interface snort box (1mgmt iface) and I run snort watching
traffic on all 4 and sending it to a ACID/SQL box. will snortcenter allow me
to view the box and manage it as 4?

-----Original Message-----
From: Allan Dover [mailto:allan () redwoods ca]
Sent: Tuesday, April 29, 2003 10:05 AM
To: Neil Dickey
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] VPN and UDP alerts


Hey Neil,

I am still getting alerts from that vpn server on the internet.  When I
emailed yesterday, the user had left, right when I applied the rule.  This
morning its back.
This is what I have done

in snort.conf where DNS and mail variables are defined i added:
# External VPN Server
var VPN_NET 139.56.2.13

In local.rules i did the following:

pass udp $VPN_NET 500 <> 192.168.1.61 any

I also modified my startup script with -o option.

Any Ideas ?

Allan Dover
Systems Administrator
<mailto:allan () iiwishiv com>
<http://www.iiwishiv.com>

###################################################
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission, distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any  printout thereof, immediately. Your
co-operation is appreciated.


----- Original Message -----
From: "Neil Dickey" <neil () geol niu edu>
To: <allan () iiwishiv com>
Cc: <snort-users () lists sourceforge net>
Sent: Friday, April 25, 2003 5:11 PM
Subject: Re: [Snort-users] VPN and UDP alerts




"Allan Dover" <allan () iiwishiv com> wrote:


Thanks for the advice, I will try it.  This may seem like a stupid

question,

should I be concerned that I am putting an internet address in my local

file


Example:

var VPN-NET1 64.42.55.212  ( Made it up )


According to my reading of the manual that shouldn't cause a problem,

though

my habit is to define all my variables in a central place -- snort.conf.

Just

be sure the "var" statement is read before your "pass" rule.  If $VPN-NET1

only

contains one IP, I wouldn't use a variable.  I'd just put the IP in its

place

in the rule and reduce the overhead.

Now, ...


pass udp $VPN-NET1 500 <> $HOME_NET 192.168.1.61

                                     ^^^^^^^^^^^^
... I'm not sure what you're doing here.  Is 192.168.1.61 part of your

HOME_NET,

or is it external to it?  If you're entering more than one address on the

right-

hand-side, then it's necessary to use square brackets, comma delimiters,

and no

spaces, as:

  [$HOME_NET,192.168.1.61]

Also, there needs to be a port designation after the addresses on the RHS,

so

the whole rule would look like this:

  pass udp $VPN-NET1 500 <> [$HOME_NET,192.168.1.61] any

The port designation can be a single port number ( e.g. 500 ), as it is on

the

LHS, a range of ports ( e.g. 500:1000 , 500: , :1000 ), or the word "any"

to

signify that all ports match.


This will only not log on internal address going to specific destination,

so

if someboby were to create a scan tool or some other nasty device, I

would

get flagged again on different IP's.


The pass rule we have written here will not affect detection of TCP

traffic

between any of the addresses in $VPN-NET1, $HOME_NET, and 192.168.1.61 .

UDP

traffic which did not originate from any of these IPS would still be

alerted,

as would any UDP traffic originating from $VPN-NET1 on some port other

than

500 .

The rule, as now written, will pass without alerting all UDP traffic
originating on $VPN-NET1, port 500, and bound for any port on any machine

in

$HOME_NET or 192.168.1.61 .  It will also pass all UDP traffic originating

on

$HOME_NET and 192.168.1.61, from any port, and bound for port 500 on

$VPN-NET1.

Everything else still gets alerted.


This makes sense to me, look logical ?


If what I've just described is what you want to do, it should work fine.

Let me know how it turns out.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: