Snort mailing list archives

Re: Logs

From: Erek Adams <erek () snort org>
Date: Tue, 15 Jul 2003 15:18:31 -0400 (EDT)

On Tue, 15 Jul 2003, Helder Miguel Rodrigues wrote:

Hello I have my workstation running snort with no probs.
My workstation is directly connected to the internet via eth0!

so I have in my config file:
var HOME_NET $eth0_ADDRESS
var EXTERNAL_NET !$HOME_NET

But in acid it appears  ATTACK RESPONSES 403 and my CHAT MSN messages,
how can I prevent to log this things?

I just want to log what came from the internet, not what goes to the
internet.


Well, one thing that you should always do is _look_ at the rule if it's
firing and you don't think it should.

Since you didn't give the SID's of the rules, I'll have to guess a bit.

[erek@fred]/etc/snort/rules>grep -i "chat msn" *.rules
  chat.rules:alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN
  message"; flow:established; content:"MSG "; depth:4;
  content:"Content-Type\:"; content:"text/plain"; distance:1;
  classtype:misc-activity; sid:540; rev:8;)
[...others snipped...]

Now, notice that there's a bi-directional operator there?  With that rule,
if Snort sees that traffic, it's going to alert.  It doesn't care.  And if
you recall, chat.rules isn't enabled by default.

Now, lets look at the next one.

[erek@fred]/etc/snort/rules>grep -i "attack responses 403" *.rules
   attack-responses.rules:alert tcp $HTTP_SERVERS $HTTP_PORTS ->
   $EXTERNAL_NET any (msg:"ATTACK RESPONSES 403 Forbidden";
   flow:from_server,established; content:"HTTP/1.1 403"; depth:12;
   classtype:attempted-recon; sid:1201; rev:6;)

Now, that's looking at traffic with a source as HTTP_SERVERS going to a
destination of EXTERNAL_NET.  Since HTTP_SERVERS is HOME_NET by default,
then it's going to alert if that traffic/pattern matches.

Snort's working just fine.  It's just not working how you thought it was
going to.

Fixes?  Sure.  Disable the rules, write pass rules, or use a BPF filter.
See the FAQ [0] on 'ignoring traffic'.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.snort.org/docs/FAQ.txt


-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Logs Helder Miguel Rodrigues (Jul 15)
- Re: Logs Erek Adams (Jul 15)
- <Possible follow-ups>
- Re: Logs Josué Souza (Jul 15)
- Re: Logs Helder Miguel Rodrigues (Jul 15)