Hosting Provided By

Re: [Snort-users] Questions after 1.9.1 install

From: Alberto Gonzalez <albertg(at)wwjh.net>
Date: Sat Mar 15 2003 - 01:25:44 EST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Hello all. Long time no post..

{ yawn... } Hello

> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"TCP inbound to 445 \

Hrm... lets take a look at this

(cervello is internal @ 192.168.1.4)

(root@cervello)(~) cat /etc/snort/rules/local.rules

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "TCP inbound to 445 Win2k SMB"; )

Do you need help?

Then from my gateway

(root@cerebro)(~) telnet 192.168.1.4 445 Trying 192.168.1.4...
telnet: connect to address 192.168.1.4: Connection refused (root@cerebro)(~)

I go back to cervello

(root@cervello)(~) tail -f /var/log/snort/alert

[**] [1:0:0] TCP inbound to 445 Win2k SMB [**] [Priority: 0]
03/15-01:24:28.795690 192.168.1.1:44904 -> 192.168.1.4:445 TCP TTL:51 TOS:0x0 ID:12719 IpLen:20 DgmLen:40 ******S* Seq: 0x7DE72FFE Ack: 0x0 Win: 0x1000 TcpLen: 20

It worked here, verified it on linux and openbsd.

(root@cervello)(~) snort -V

-*> Snort! <*- Version 1.9.1 (Build 231) By Martin Roesch (roesch@sourcefire.com, www.snort.org)

>
> And thirdly, I'm getting mass these sorts of things:

Do you need more help?

This looks like its the same situation when someone is surfing the web. Try putting the machines you want to ignore in spp_portscan2 ignorehosts, or you can use the methods discussed here[0].

>
> - John
>

Cheers,
Alberto Gonzalez

[0] - http://www.theadamsfamily.net/~erek/snort/ignore.txt

-- "Success comes to the person who does today, what you are thinking of doing tomorrow."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+csdsa3vAB/3yp/IRAqJ3AJ4lCA2vbwcwotGhLr+/IaF1HDTSAwCg02m4 VIiaKgxuR3ZFXpqtW38uAPg=
=62Cb
-----END PGP SIGNATURE-----

This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Sat Mar 15 01:46:35 2003

This message: [ Message body ]
Next message: parikshit: "[Snort-users] Facing problem with react keyword.!"
Previous message: Alberto Gonzalez: "Re: [Snort-users] Preprocessor PortScan2 is not doing what it....."
In reply to John Sage: "[Snort-users] Questions after 1.9.1 install"
Next in thread: John Sage: "Re: [Snort-users] Questions after 1.9.1 install"
Reply: John Sage: "Re: [Snort-users] Questions after 1.9.1 install"
Reply: John Sage: "Re: [Snort-users] Questions after 1.9.1 install"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:11:49 EDT