Check out your rules:

var HOME_NET 129.236.21.0/24
var EXTERNAL_NET !129.236.21.0/24

That means you can't be on the same subnet and testing the Snort rules,
it's ignoring attacks coming from your network. Try 'var EXTERNAL_NET
any' and see how that works.

    -Marty

Lawrence Rosen wrote:
>
> I recently installed a snort-1.7-1.i386.rpm on my dual processer
>
> DELL box running RedHat 6.2. I'm missing some functionality.
>
> Starting the snort daemon at boot time doesn't put the ethernet
> interface into promiscuous mode. I issued the command 'ifconfig eth0
> promisc' to configure eth0 as shown below. This doesn't seem correct
> based on my reading of the documentation. libpcap-0.4-1.9 is the
> version installed. Thanks in advance for an advice about the situation.
>
> ==========================================================================
>
> eth0 Link encap:Ethernet HWaddr 00:B0:D0:3D:96:09
> inet addr:129.236.21.85 Bcast:129.236.21.255
> Mask:255.255.255.0
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:2939 errors:0 dropped:0 overruns:1 frame:0
> TX packets:851 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> Interrupt:16 Base address:0xdc80
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> UP LOOPBACK RUNNING MTU:3924 Metric:1
> RX packets:893 errors:0 dropped:0 overruns:0 frame:0
> TX packets:893 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> ==========================================================================
>
> The command used during boot to start snort in its daemon mode is;
>
> INTERFACE=eth0
> daemon /usr/sbin/snort -u snort -g snort -s -d -D -i $INTERFACE -l
> /var/log/snort -c /etc/snort/snort.conf
> ============================================================================
>
> Despite putting the ethernet card in promiscusous mode, snort
> reports SYN stealth and other nmap scans when they are directed at
> this particular machine but not at other machines on the subnet.
>
> Snort does however,report things of the following kind,
>
> MISC Large UDP Packet: 129.236.110.79:0 -> 129.236.21.203:0
>
> which suggests it is able to match certain kinds of packets
> with its rule sets (UPDATED 02/21/2001) .
>
> The machine is located on an ethernet subnet. The snort.conf
> file has the following entries;
>
> var HOME_NET 129.236.21.0/24
> var EXTERNAL_NET !129.236.21.0/24
> var SMTP $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var DNS_SERVERS [129.236.10.30/32,129.236.10.20/32,129.236.21.202/32]
>
> preprocessor minfrag: 128
> preprocessor defrag
> preprocessor http_decode: 80 8080
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> preprocessor portscan-ignorehosts: $DNS_SERVERS
>
> include /etc/snort/local.rules
> include /etc/snort/exploit.rules
> include /etc/snort/scan.rules
> include /etc/snort/finger.rules
> include /etc/snort/ftp.rules
> include /etc/snort/telnet.rules
> include /etc/snort/smtp.rules
> include /etc/snort/rpc.rules
> include /etc/snort/rservices.rules
> include /etc/snort/backdoor.rules
> include /etc/snort/dos.rules
> include /etc/snort/ddos.rules
> include /etc/snort/dns.rules
> include /etc/snort/netbios.rules
> include /etc/snort/web-cgi.rules
> include /etc/snort/web-coldfusion.rules
> include /etc/snort/web-frontpage.rules
> include /etc/snort/web-misc.rules
> include /etc/snort/web-iis.rules
> include /etc/snort/icmp.rules
> include /etc/snort/misc.rules
> # include policy.rules
> # include info.rules
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roeschmd.prestige.net
http://www.snort.org
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]