Snort mailing list archives

Re: Snort on an OpenBSD firewall

From: Dragos Ruiu <dr () kyx net>
Date: Mon, 28 Jun 2004 15:56:14 -0700

Is pf running?

cheers,
--dr

On June 28, 2004 12:29 pm, Sean Brown wrote:

I'm new to snort, and trying to get it running on my OpenBSD 3.5 firewall,
but its just not working right. If i read the documentation right, i should
be able to have snort listen on pflog0 and just cpture and watch the
traffic thats regected by my firewall, which is handy because snort isn't
then logging all the arp traffic that shows up on the line.

When I launch snort with
/usr/local/bin/snort -c /etc/snort/snort.conf -i pflog0 -d
Nothing happenes and after ctrl-d i get this:

      Snort analyzed 212 out of 212 packets, dropping 0(0.000%) packets

      Breakdown by protocol:                Action Stats:
         TCP: 0          (0.000%)          ALERTS: 0
          UDP: 0          (0.000%)          LOGGED: 0
         ICMP: 0          (0.000%)          PASSED: 0
          ARP: 0          (0.000%)
        EAPOL: 0          (0.000%)
         IPv6: 0          (0.000%)
          IPX: 0          (0.000%)
        OTHER: 212        (100.000%)
      DISCARD: 0          (0.000%)

But if I call it on my external interface I get a lot more:

      Snort analyzed 275 out of 275 packets, dropping 0(0.000%) packets

      Breakdown by protocol:                Action Stats:
          TCP: 198        (72.000%)         ALERTS: 198
          UDP: 1          (0.364%)          LOGGED: 198
         ICMP: 0          (0.000%)          PASSED: 0
          ARP: 74         (26.909%)
        EAPOL: 0          (0.000%)
         IPv6: 0          (0.000%)
          IPX: 0          (0.000%)
        OTHER: 0          (0.000%)
      DISCARD: 0          (0.000%)

Now even to get that i had to add a TCP catchall which just fills the
database with noise, but thats another problem, it wouldn't even register a
port scan.. Why when I listen on pflog0 does it classify everything as
'Other' and just ignore it all. I can sit with TCP dump and watch it all on
pflog0

Any help is appreciated
-Sean Brown

#Snort Config file
var HOME_NET 192.168.1.0/26

var EXTERNAL_NET any

var DNS_SERVERS [192.168.1.2,192.168.1.4]

var SQL_SERVERS 192.168.1.2

var TELNET_SERVERS 192.168.1.10

var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12

var HTTP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SNMP_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET

var RULE_PATH ./rules

config detection: search-method lowmem

preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
#preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

# OUTPUT DATABASE

output database: log,mysql,dbname=snort user=snorter host=192.168.1.2
port=3306 sensor_name=SPARTA_FW_01

#
# Include classification & priority settings
#
include $RULE_PATH/classification.config

#
# Include reference systems
#

include $RULE_PATH/reference.config

# RULES
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/misc.rules
include /home/sean/test.rules

test rules just has this:
alert tcp any any -> any any (msg:"TCP traffic";)



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan    Nov 11-12 2004  http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort on an OpenBSD firewall Sean Brown (Jun 28)
- Re: Snort on an OpenBSD firewall Dragos Ruiu (Jun 28)
  - Re: Snort on an OpenBSD firewall Sean Brown (Jun 28)
- Re: Snort on an OpenBSD firewall Matt Kettler (Jun 28)
  - Re: Snort on an OpenBSD firewall Sean Brown (Jun 28)