Questions after 1.9.1 install

[John Sage <jsage () finchhaven com>]

Hello all. Long time no post..

Finally put 1.9.1 on after rebuilding my firewall to get into the
2.4.18 Linux kernel series, and have I got questions :-/


First of all, the tcpdump logfile is timestamped in UNIX time:

901956 Mar 12 20:31 snort.log.1047528578



Second, this rule is firing:

alert tcp $EXTERNAL_NET 1025:4320 -> $HOME_NET any (msg:"TCP inbound \
from range 1025-4320";)

but this one isn't:

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"TCP inbound to 445 \
Win2k SMB";)

even though I would think that the RTN list would check a specific
port before a port list..

Here's the alert itself:

[**] [1:0:0] TCP inbound from range 1025-4320 [**]
[Priority: 0]
03/13/03-20:24:48.401161 209.181.67.217:3195 -> 12.82.133.46:445
<snip>



And thirdly, I'm getting mass these sorts of things:

[**] [117:1:1] (spp_portscan2) Portscan detected from 12.82.133.46:
6 targets 6 ports in 5 seconds [**]
03/13/03-20:09:52.818983 12.82.133.46:1034 -> 198.133.199.110:53

which is my caching-only nameserver talking outbound to..

..a nameserver...

[toot@tweedle /tmp]# host 198.133.199.110
110.199.133.198.in-addr.arpa domain name pointer arrowroot.arin.net.



Basic facts:

-*> Snort! <*-
Version 1.9.1 (Build 231)

Command line:

/usr/sbin/snort191 -o -c /etc/snort/snort191.conf &


snort.conf:

# $Id: snort.conf,v 1.110.2.4 2002/11/17 04:40:07 cazz Exp $

var HOME_NET $ppp0_ADDRESS
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var RULE_PATH /etc/snort

config utc
config show_year
config interface: ppp0

preprocessor conversation: allowed_ip_protocols 1 6 17, timeout 60, \
 max_conversations 32000

preprocessor portscan2: scanners_max 3200, targets_max 5000, \
 target_limit 5, port_limit 20, timeout 60

output alert_full: alert.full
output log_tcpdump: snort.log

include /etc/snort/classification.config
include /etc/snort/reference.config

include $RULE_PATH/icmp191-local.rules
include $RULE_PATH/tcp191-local.rules
include $RULE_PATH/udp191-local.rules


TIA, and later...


- John
-- 
"You must define an operating system environment,
 or the configuration file build will puke."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users