Snort mailing list archives
Re: : Configuration HELP! (understanding alerts and proxies)
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 12 Jun 2002 18:51:53 -0400
Ok, that clears things up a little bit. First question what version of snort are you running?You've said it's a 1.8 win32 port. Which one? If it is older than snort 1.8.5, upgrade. Some members of the 1.8.x family had very significant bugs and I'd not even bother trying to determine if it's a config file problem if you're running one. (ie: strange bugs in stream processing, strange bugs in the frag reassembler)
http://www.snort.org/dl/binaries/In general your config in your original email looks "good" at first glance, and that alert should not have occurred unless the proxy attempt rule you are using is any -> any instead of EXTERNAL_NET -> HOME_NET.
You could try this: replace this: var HOME_NET x.x.x.243/32 with var HOME_NET [x.x.x.243/32]I know you should only need the braces for multi-IP cases, but I always use them myself. I doubt it will fix it, but won't take long to try.
At 11:51 AM 6/12/2002 -1000, Jason Martin wrote:
Let me follow-up on this before I get similar responses. I don't think I was
very clear.
x.x.90.77 is a test machine I am using to scan my x.x.90.243 machine. The
proxy scan is part of the scan I am using to emulate a PROXY scan attempt.
The problem is the scan was from x.x.x.77 but my logs only show the ACK of
my machine responding to x.x.x.77's request SYN port scan of my machine on
that port. None of the other signatures for the port scan show up, in fact
the only reason this was logged was because of the traffic generated by
x.x.x.243. I'm looking for someone to point out where I misconfigured my
config file so that it is detecting ONLY traffic generated by x.x.x.243 even
though I have it in my portscan-ignore section. I guess it's two part; why
is it not detecting any external scans, and why is it not pre-processing my
ignore variable.
Problem in a nutshell:
IDS Signatures when scans are run from x.x.x.243 are captured in Logs. ALL
scans from various other tests machines against x.x.x.243 do not log. I do
however see the traffic when I am running snort -dev -c snort.conf, so the
interface is grabbing the packets. I think I mis-configured my config file
so it doesn't know how to properly alert me. Or I'm just not making any
sense and the way I'm phrasing my problem isn't coming across correctly. I
hope this made things a little clearer.
~Jason
_______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- : Configuration HELP! (understanding alerts and pro xies) Jason Martin (Jun 12)
- Re: : Configuration HELP! (understanding alerts and proxies) Matt Kettler (Jun 12)
- Re: : Configuration HELP! (understanding alerts and proxies) Scot Scot (Jun 12)
- Re: : Configuration HELP! (understanding alerts and proxies) Matt Kettler (Jun 12)