Hi Guys,

i have installed snort with snort document.

my setup as below

Lan : A.A.A.A Subnet
gateway : A.A.A.A Subnet

Firewall : B.B.B.B Subnet
Snort IDS : B.B.B.B Subnet

The gateway router will divert all the internet access to Firewall, which is different subnet.

If i try to make any vnc or ICMP to IDS box throu AAAA subnet, i gets alert.

if never get Chat alert, while using Yahoo msg throu AAA subnet.

Let me know, where i went wrong.

Thanks in advance.

Bharathvn

Ahhh, I'm not sure I even understand 10 percent of what you're trying to say...
Maybe you could test it by turning the rule you're after in a BPF filter for tcpdump and run tcpdump on the IDS box?
If you do please post a few lines from the log, your Snort version and the contents of your config and the rule from the rulefile.

Hi unspawn,

Thanks for your reply.

These are the network diagram and problem.

Desktop Lan to Router to internet

Desktop Lan to Switch to Firewall to Internet


Lan & Router subnet: 192.150.1.0

Firewall & IDS box subnet: 172.15.15.0

We have IPSEC Tunnel to our Corp HO. Which makes intranet.

Default gateway for Lan is Router.

Router will divert all Web access packet to Firewall through Switch.

I am not getting any alert like Yahoo/msn Msg or any virus alert

If I make VNC or ICMP to IDS box it alerts.

Even If I make telnet to firewall, there is no alert.

Especially If I access the IDS Box. I get alert. Otherwise there is no alert.

If I make TCPDUMP on the IDS box. There is no packet flow except the putty access.

If I make TCPDUMP on Firewall. I get the web transaction and yahoo msg transaction and so on….


Thanks
Bharathvn

The IDS and Firewall are physically separate boxen, right?
Where is the IDS situated? In front of the Firewall? (looking from LAN side)
How is the IDS configured as? (bridge?)
What is your Snort version? And post the contents of Snort config.

Yes, the IDS Box is Located in between Backbone switch and Firewall,

I have Snort 2.4.3 Version.

These are my Snort.Conf File
#--------------------------------------------------
# http://www.snort.org Snort current Ruleset
# Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
# $Id: snort.conf,v 1.159 2005/08/30 17:27:38 ssturges Exp $
#
###################################################
# This file contains a sample snort configuration.
# You can take the following steps to create your own custom configuration:
#
# 1) Set the variables for your network
# 2) Configure preprocessors
# 3) Configure output plugins
# 4) Add any runtime config directives
# 5) Customize your rule set
###################################################
# Step #1: Set the network variables:
# var HOME_NET 10.1.1.0/24
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
var HOME_NET any
#var HOME_NET [192.168.144.0/23,192.168.151.0/24, 192.168.150/24, 192.168.145.0/23]
# Set up the external network addresses as well. A good start may be "any"
var EXTERNAL_NET any
# List of DNS servers on your network
var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET

# Configure your service ports. This allows snort to look for attacks destined
# to a specific application only on the ports that application runs on. For
# example, if you run a web server on port 8081, set your HTTP_PORTS variable
# like this:
#
# var HTTP_PORTS 8081
#
# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
# We will adding support for a real list of ports in the future.

# Ports you run web servers on
#
# Please note: [80,8080] does not work.
# If you wish to define multiple HTTP ports,
#
## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

# other variables
#
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules


###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of
# the form
# preprocessor <name_of_processor>: <configuration_options>

# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan detector
# is implemented but in the long term, many of the stateful subsystems of
# snort will be migrated over to becoming flow plugins. This must be enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#
preprocessor flow: stats_interval 0 hash 2

preprocessor frag2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500


preprocessor rpc_decode: 111 32771


preprocessor bo


preprocessor telnet_decode


preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { medium }
#sense_level { low }

# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
# unicast ARP requests, and specific ARP mapping monitoring. To make use of
# this preprocessor you must specify the IP and hardware address of hosts on
# the same layer 2 segment as you. Specify one host IP MAC combo per line.
# Also takes a "-unicast" option to turn on unicast ARP request detection.
# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:

# SID Event description
# ----- -------------------
# 1 Unicast ARP request
# 2 Etherframe ARP mismatch (src)
# 3 Etherframe ARP mismatch (dst)
# 4 ARP cache overwrite attack

#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

# X-Link2State mini-preprocessor
# ------------------------------
# This preprocessor will catch the X-Link2State vulnerability
# (http://www.microsoft.com/technet/sec.../MS05-021.mspx).
#
# Format:
# preprocessor xlink2state: ports { <port> [<port> <...>] } [drop]
#
# "drop" will drop the attack if in Inline-mode.

# SID Event description
# ----- -------------------
# 1 X-Link2State length greater than 1024

preprocessor xlink2state: ports { 25 691 }


output log_tcpdump: tcpdump.log

output database: log, mysql, user=snort password=snort dbname=snort host=localhost



include classification.config

include reference.config



include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules

Thanks,
Bharathvn

Config itself looks OK, but I would *really* like you to answer my other questions.

yes the Box is separate from Firewall.

i am not aware of configuring in Bridge. can u give me suggestion, how to configure in Bridge?

i am using the Snort 2.4.3.

Lan to switch to Firewall . the IDS is located in between switch and Firewall. ( like T)

Thanks
Bharathvn

i am not aware of configuring in Bridge.
How is it configured to get traffic across interfaces now? Iptables forwarding?
Who made this setup anyway?


can u give me suggestion, how to configure in Bridge?
Google around for "linux ethernet bridge" and you'll find bridge.sourceforge.net and/or the Bridge howto.

hi unspawn,

i have configured the setup,

i have mentioned setup as below

firewall ip : 160.20.20.1
Switch : 160.20.20.2
IDS: 160.20.20.3

i have not configured as bridge.

if i make tcpdump on IDS box, i used see only the SSH Traffic. which i make. otherthan this i don't find any traffic it's grabbing from the network
.
If i make tcpdump on firewall, i used to get all traffic. But i couldn't find these traffic in IDS box.

Do i need to enable any feature on this IDS BOX ?

Thanks
bharathvn

To cut things short I suggest you set the IDS box up as a bridge.
Read up on it at http://bridge.sourceforge.net .