Snort mailing list archives
Re: Logs
From: Erek Adams <erek () snort org>
Date: Tue, 15 Jul 2003 15:18:31 -0400 (EDT)
On Tue, 15 Jul 2003, Helder Miguel Rodrigues wrote:
Hello I have my workstation running snort with no probs. My workstation is directly connected to the internet via eth0! so I have in my config file: var HOME_NET $eth0_ADDRESS var EXTERNAL_NET !$HOME_NET But in acid it appears ATTACK RESPONSES 403 and my CHAT MSN messages, how can I prevent to log this things? I just want to log what came from the internet, not what goes to the internet.
Well, one thing that you should always do is _look_ at the rule if it's firing and you don't think it should. Since you didn't give the SID's of the rules, I'll have to guess a bit. [erek@fred]/etc/snort/rules>grep -i "chat msn" *.rules chat.rules:alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/plain"; distance:1; classtype:misc-activity; sid:540; rev:8;) [...others snipped...] Now, notice that there's a bi-directional operator there? With that rule, if Snort sees that traffic, it's going to alert. It doesn't care. And if you recall, chat.rules isn't enabled by default. Now, lets look at the next one. [erek@fred]/etc/snort/rules>grep -i "attack responses 403" *.rules attack-responses.rules:alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES 403 Forbidden"; flow:from_server,established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:6;) Now, that's looking at traffic with a source as HTTP_SERVERS going to a destination of EXTERNAL_NET. Since HTTP_SERVERS is HOME_NET by default, then it's going to alert if that traffic/pattern matches. Snort's working just fine. It's just not working how you thought it was going to. Fixes? Sure. Disable the rules, write pass rules, or use a BPF filter. See the FAQ [0] on 'ignoring traffic'. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://www.snort.org/docs/FAQ.txt ------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users