LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-18-2003, 10:16 AM   #16
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,371
Blog Entries: 55

Rep: Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555

1. If you changed your snort.conf, repost it, but leave out the comment lines this time (do "grep snort.conf -ve "^#").
2. Post the full* commandline you run Snort with.
3. Post the output* from running Snort in testmode, see other post for the correct commandline.

*If I suspect you are again not posting full, I will not be able to help you and I will tell you so.
 
Old 06-18-2003, 01:21 PM   #17
chamkila
Member
 
Registered: Nov 2001
Distribution: Redhat 7.3 Slackware 8.1
Posts: 87

Original Poster
Rep: Reputation: 15
Here all the info you asked for thanks alot

(1)here all the info first my snort.conf

var HOME_NET 192.168.0.0/24


var EXTERNAL_NET any

var DNS_SERVERS $HOME_NET

var SMTP_SERVERS $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET


var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

var RULE_PATH /etc/snort/rules

preprocessor frag2: memcap 16777216, timeout 30



preprocessor stream4: detect_scans, disable_evasion_alerts


preprocessor stream4_reassemble: both,ports[all]


preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace


preprocessor rpc_decode: 111 32771


preprocessor bo


preprocessor telnet_decode: 21 23 25 119


preprocessor portscan: $HOME_NET 1 1 portscan.log

preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000
preprocessor portscan2: scanners_max 1000, targets_max 1024, target_limit 1, port_limit 1, timeout 60, log /var/log/snort/fportscan



output alert_syslog: LOG_LOCAL6

output alert_full: alert.full






include classification.config


include reference.config


include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules


(2)Here what I get in testmode

Initializing Network Interface eth0

--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...[*] Frag2 config:
Fragment timeout: 30 seconds
Fragment memory cap: 16777216 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
State Protection: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Stream4_reassemble config:
Server reassembly: ACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Ports:
Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
http_decode arguments:
Unicode decoding
IIS alternate Unicode decoding
IIS double encoding vuln
Flip backslash to slash
Include additional whitespace separators
Ports to decode http on: 80
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Using LOCAL time
Conversation Config:
KeepStats: 0
Conv Count: 3000
Timeout : 60
Alert Odd?: 0
Allowed IP Protocols: All

Portscan2 config:
log: /var/log/snort/fportscan
scanners_max: 1000
targets_max: 1024
target_limit: 1
port_limit: 1
timeout: 60
1413 Snort rules read...
1413 Option Chains linked into 154 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log


--== Initialization Complete ==--

-*> Snort! <*-
Version 2.0.0 (Build 72)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)

Snort sucessfully loaded all rules and checked all rule chains!
Snort exiting



(3)This is the command I run snort as a Daemon

snort -Dd -z -s -i eth0 -c /etc/snort/snort.conf


Thanks again
 
Old 06-18-2003, 01:46 PM   #18
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,371
Blog Entries: 55

Rep: Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555
Ok. So you posted full info. Good.

We talked about Snort receiving info from both ethernet devices.
I gave you a few solutions to try with respect to $HOME_NET and "-i", but it seems you didn't try them out or use them.
I'm wondering what use my replies are to you then?

Anyway. Your $HOME_NET still shows you have narrowed it down to your subnet instead of "any" your portscan2 preprocessor line shows "$HOME_NET".
 
Old 06-18-2003, 02:08 PM   #19
chamkila
Member
 
Registered: Nov 2001
Distribution: Redhat 7.3 Slackware 8.1
Posts: 87

Original Poster
Rep: Reputation: 15
Could you see any problem with the above information I gave you. I have tried every thing you said.

Do you have any more ideals.
 
Old 06-18-2003, 02:30 PM   #20
chamkila
Member
 
Registered: Nov 2001
Distribution: Redhat 7.3 Slackware 8.1
Posts: 87

Original Poster
Rep: Reputation: 15
This may help or may not. I have an ADSL router which all my traffic goes in and out from, is that going to be a problem.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Snort does not log alerts soren625 Linux - Security 0 02-10-2005 06:35 AM
I can't get snort to log anything abefroman Linux - Security 2 09-07-2004 09:09 AM
SNort&log JuBeC Linux - Security 1 05-04-2004 09:33 PM
Snort log messages Mike_the_Man Linux - Security 2 04-23-2004 10:47 AM
/var/log/snort mpenny Linux - General 3 01-15-2002 06:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration