LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-26-2004, 05:53 PM   #1
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Debian, Android
Posts: 1,819

Rep: Reputation: 46
Question Snort doesn't seem to catch anything I throw at it?


I have been trying to get this phase of my IDS implementation set up for weeks, and Snort is not cooperating. I printed and have read the manual, surfed the mailing lists, and beat my head against a wall, but nothing seems to work. What I am looking for is for my Squid Proxy (the sensor) to be able to detect port scans and other nefarious activity originating from it or directed at it. After starting Snort with -D -c /usr/local/Snort-2.1.2/etc/snort.conf, and verifying it is running in ps, I blast away on the network with every type of nmap scan I know, and nothing. Even when I direct my scans at the machines it is supposed to be watching, it misses every port scan. Occasionally I get a useless portscan alert in the logs, but it is always from my Squid proxy's external ip, and never coincides with an actual scan I am running.

Here is my conf file. Can anyone see what is wrong? I have stream4 and flow/flow-portscan set-up. Why is it failing to detect my scans??
Snort is running on my Squid Proxy/firewall (0.8 internal, 10.10 external)

var HOME_NET 192.168.0.0/24
var EXTERNAL_NET any
var DNS_SERVERS 192.168.0.3
var SMTP_SERVERS [192.168.0.11,192.168.0.17,192.168.0.158]
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS [192.168.0.4,192.168.0.51,192.168.0.74]
var TELNET_SERVERS $HOME_NET

var HTTP_PORTS 80:8080
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var RULE_PATH ../rules

config disable_decode_alerts

preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: detect_scans,disable_evasion_alerts,ttl_limit 0
preprocessor stream4_reassemble

preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server 192.168.0.8 \
ports { 80 3128 8080 } \
flow_depth 0 \
ascii no \
double_decode yes \
non_rfc_char { 0x00 } \
chunk_length 500000 \
non_strict \
oversize_dir_length 500 \
no_alerts

preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode

preprocessor flow-portscan: \
talker-sliding-scale-factor 0.50 \
talker-fixed-threshold 30 \
talker-sliding-threshold 30 \
talker-sliding-window 20 \
talker-fixed-window 30 \
scoreboard-rows-talker 30000 \
server-watchnet $HOME_NET \
server-ignore-limit 200 \
server-rows 65535 \
server-learning-time 3200 \
server-scanner-limit 4 \
scanner-sliding-window 20 \
scanner-sliding-scale-factor 0.50 \
scanner-fixed-threshold 15 \
scanner-sliding-threshold 40 \
scanner-fixed-window 15 \
scoreboard-rows-scanner 30000 \
# src-ignore-net [192.168.1.1/32] \
# dst-ignore-net [10.0.0.0/30] \
alert-mode once \
output-mode msg \
tcp-penalties on

output alert_syslog: LOG_AUTH LOG_ALERT
output alert_full: alert

include classification.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include ...............(all the other rules files as well).....

If someone could point me in the right direction here you would be my hero.

 
Old 04-28-2004, 01:04 PM   #2
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Debian, Android
Posts: 1,819

Original Poster
Rep: Reputation: 46
A closer inspection of the messages log showed that by default Snort was binding to eth0 (the wrong NIC). I added -i eth1 to the command line start up so it read

snort -D -i eth1 -c /etc/snort/snort.conf

and all is well. :-)
 
Old 04-28-2004, 03:54 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Oh cool, you solved your own problem :-]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Don't throw out the baby with the bathwater... southsibling Linux - Software 18 06-20-2005 05:19 AM
connecting to a shell throw linux einstien Linux - General 2 03-30-2005 01:22 PM
does catch and throw statement ? ashwinipahuja Programming 4 06-07-2004 07:26 AM
I had to throw in the white towel.... Quivver Slackware 6 02-18-2004 11:35 PM
Help please, before I throw my box out the window Jadasin Linux - General 2 07-19-2002 09:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration