Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort not catching all hosts

From: "Koski, Brian" <bkoski () citrusheights net>
Date: Wed, 14 Jul 2004 09:05:15 -0700
Problem: Snort does not capture events to one of my servers, both in
HOME_NET and also added as variables in DMZ_SERVERS; it used to log
events to target 172.16.3.14; however I see attemps in the URL logs and
recently had a hack attempt I just happened to notice via other means
(snort was silent on this). Any ideas? Do I need some custom rules?

I am currently running Snort 2.1.3 on XP (started with Snort 2.0.1). I
am capturing traffic that gets past firewall to the DMZ hosts, which are
defined in config:

var HOME_NET [172.16.3.0/24]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS [172.16.3.13,172.16.3.14]
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
64.12.161.0/24,64.12.163.0/24,20
5.188.5.0/24,205.188.9.0/24]
var DMZ_SERVERS [172.16.3.10,172.16.3.13,172.16.3.14]
var RULE_PATH ../rules

---
Some history - snort had stopped logging altogther a while back until I
upgraded to 2.1.1, but I notice since then I only get alerts to
172.16.3.13 and no longer for host.14. BTW, I got the interface off the
Cisco switch a while ago because there were 'issues'.



City of Citrus Heights
This e-mail message contains information belonging to the City of Citrus Heights, which may be privileged, confidential 
and/or protected from disclosure.  The information is intended only for use of the individual or entity named.  
Unauthorized dissemination, distribution, or copying is strictly prohibited. If you received this email in error, or 
are not an intended recipient, please notify the sender immediately. Thank you for your cooperation.




-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: