Hi all,
        To clarify the post I made below, because I have received some
questions about it: The HOME_NET variable and the '-h <home network>'
command line option are unrelated. The HOME_NET tells Snort what your
internal netblock is, and the '-h <home network>' command line option tells
Snort what names to use when creating the directories it logs data too.

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice 502-564-2020x225
E-mail agetchelkde.state.ky.us
Web http://www.kde.state.ky.us/

> -----Original Message-----
> From: agetchelkde.state.ky.us [mailto:agetchelkde.state.ky.us]
> Sent: Wednesday, May 23, 2001 4:44 PM
> To: Keith.McCammoneadvancemed.com
> Cc: focus-idssecurityfocus.com
> Subject: RE: Snort Logging Question(s)
>
>
> Hi Keith,
> Answer to 'PART ONE!': When you do not specify the '-h <home
> network>' on the command line (_NOT_ the same as the HOME_NET
> variable in
> the snort.conf file) Snort will log packets to the directory
> with the IP
> address that has the higher numerical value. To log all
> packets in the
> directory with the appropriate IP address, define your home
> network using
> '-h' on the command line.
>
> Thanks,
> Abe
>
> Abe L. Getchell - Security Engineer
> Division of System Support Services
> Kentucky Department of Education
> Voice 502-564-2020x225
> E-mail agetchelkde.state.ky.us
> Web http://www.kde.state.ky.us/
>
>
>
> > -----Original Message-----
> > From: McCammon, Keith [mailto:Keith.McCammoneadvancemed.com]
> > Sent: Wednesday, May 23, 2001 3:15 PM
> > To: 'focus-idssecurityfocus.com'
> > Subject: Snort Logging Question(s)
> >
> >
> > Hey all,
> >
> > Over time, I've noticed a few funny things about my Snort
> > logs. I'm hoping
> > someone here can explain these occurrences. Nothing
> > disruptive, just kind
> > of curious logging behaviors...
> >
> > PART ONE!
> >
> > I have a host within my home net, call it x.x.x.1. I see an
> > alert in my
> > alert.ids file indicating that a rogue packet has come from
> > some random
> > machine on the 'net and is targeted at x.x.x.1. Example:
> >
> > [**] IDS283/shellcode-x86-setuid0 [**]
> > 05/23-13:24:50.915462 206.65.183.40:80 -> x.x.x.1:45377
> > TCP TTL:255 TOS:0x0 ID:0 IpLen:20 DgmLen:2954
> > ***AP*** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
> >
> > However, when I look through the logs files for the
> > 206.65.183.40 directory,
> > it doesn't exist. Instead, the packet capture is in
> > directory x.x.x.1 (the
> > target host). And, since someone will ask, this is not
> > specific to this
> > target host; I've seen this happen with several hosts with no
> > discernable
> > correlation.
> >
> > PART TWO!
> >
> > Without fail, whenever a portscan is logged to alert.ids, the
> > next alert to
> > get logged is logged without a space between the two events
> > as seen below.
> > Again, not disruptive, but does cause some problems with
> > analysis engines.
> >
> > [**] spp_portscan: portscan status from 216.106.166.212: 3
> connections
> > across 1 hosts: TCP(0), UDP(3) [**]
> > 05/23-13:23:34.808000
> > [**] spp_portscan: End of portscan from 216.106.166.212:
> > TOTAL time(18s)
> > hosts(1) TCP(0) UDP(14) [**]
> > 05/23-13:23:40.847000
> > [**] IDS283/shellcode-x86-setuid0 [**]
> > 05/23-13:24:50.907432 206.65.183.40:80 -> x.x.x.2:45377
> > TCP TTL:114 TOS:0x0 ID:37960 IpLen:20 DgmLen:1500
> > ***A**** Seq: 0x74BCF98C Ack: 0xEA71F867 Win: 0x42FD TcpLen: 20
> >
> > Any thoughts on these occurrences would be appreciated.
> >
> > Thanks,
> >
> > Keith W. McCammon
> > Sr. Network Engineer
> > AdvanceMed Corporation
> > 11710 Plaza America Drive
> > Reston, VA 20190
> >
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]