Wil Snyder
08-15-2004, 09:37 PM
I'm trying to set up a home network, and am not understanding how snort (2.2.0) works. My internet connection is pppoe dsl, I have linux fedora core2 on the firewall box, and have set up shorewall by hand with nat enabled. The firewall and nat work fine now as far as I can tell.
I have snort installed, and have spent many hours reading trying to figure out how it works. When I use a command like snort -A fast -l /var/log/snort -d -i eth0, snort logs offending ip addresses in /var/log/snort as directories, but never writes anything to /var/log/snort/alert. (At first I thought I should use ppp0 as interface, but snort never logs anything at all, even when I scan my machine.). Now, I would like to run snort in ids mode, so according to what I've read I should use a command like snort -A fast -d -i eth0 -c /etc/snort.conf. However, when I use that command, nothing ever gets logged, and nothing gets written to the alerts file (or any syslog file either). I would eventually like to use something like Dan's Guardian to block offending sites, but Guardian uses the snort alert file, which is always empty. Why isn't anything getting written to the alerts file? Shouldn't the events that cause logging to occur get written to the alert file? I honestly don't understand how it works, and at this point the more I read the more confused I get.
Below is my snort.conf file. Snort.conf is supposedly self explanatory, but not to a newbie like me. I'm using the default rule set, which I put in /etc/snort/rules. Can anyone point me in the right direction?
snort.conf lines-------------------------
var HOME_NET 192.168.0.0/24
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
include classification.config
I have snort installed, and have spent many hours reading trying to figure out how it works. When I use a command like snort -A fast -l /var/log/snort -d -i eth0, snort logs offending ip addresses in /var/log/snort as directories, but never writes anything to /var/log/snort/alert. (At first I thought I should use ppp0 as interface, but snort never logs anything at all, even when I scan my machine.). Now, I would like to run snort in ids mode, so according to what I've read I should use a command like snort -A fast -d -i eth0 -c /etc/snort.conf. However, when I use that command, nothing ever gets logged, and nothing gets written to the alerts file (or any syslog file either). I would eventually like to use something like Dan's Guardian to block offending sites, but Guardian uses the snort alert file, which is always empty. Why isn't anything getting written to the alerts file? Shouldn't the events that cause logging to occur get written to the alert file? I honestly don't understand how it works, and at this point the more I read the more confused I get.
Below is my snort.conf file. Snort.conf is supposedly self explanatory, but not to a newbie like me. I'm using the default rule set, which I put in /etc/snort/rules. Can anyone point me in the right direction?
snort.conf lines-------------------------
var HOME_NET 192.168.0.0/24
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
include classification.config