Optimized Settings for SNORT---Help?
Whats Up
I just installed snort-1.9.1 on my firewall machine. Here is my network setup
Internet---->Firewall(snort)------>LAN(2 windows 2000 'puter)
Firewall=Redhat7.3(2.4.20)running "IPTABLES default policy set to DROP" also a DNS server for my LAN.
eth0=Internet IP(111.111.111.111) Chnages sometimes(dynamic)
eth1=Lan Interface(192.168.0.1)
My questions:
I need help to optimize my settings (im using the ruleset form snort.org):
1>I get falses like crazy as seeing an "syn-ack scan" whenever a client opens a webpage with lots of embedded images or something.First i was getting it from my own IPADDRESS but then i added eth0_ADDRESS to the preprocessor portscan2 ignorehost line but then NO portscans logged soo i have to put in my internet ip address on the ignorehost line soo everytime my IP address cvhanges i have to edit the file but it dows work for now ANY OTHER IDEAS for this? Here is some of the webtraffic im trying to STOP:
#0-(2-324) [snort] (spp_portscan2) Portscan detected from 64.4.20.24: 1 targets 10 ports in 1 seconds 2003-03-20 15:07:06 64.4.20.24:80 111.111.111.111:4114 TCP
How can i fix the SETTINGS to stop all this webtraffic???
2>preprocessor portscan2 doesnt LOG traffic to my ACID alert under PORTSCAN it logs to TCP.I have even changed the output pluggin to "ALERT" but still nothing?
#1-(2-323) [snort] (spp_portscan2) Portscan detected from 64.4.20.24: 1 targets 10 ports in 1 seconds 2003-03-20 15:06:03 64.4.20.24:80 111.111.111.111:4026
3>I want to create a rule soo i dont get alerted when this IP address pings my machine cause its an IP of my ISP server! Can someone give me an example of what this rule would look like and where to put it?
#20-(2-20) [snort] ICMP Destination Unreachable (Port Unreachable) 2003-03-19 22:16:49 205.53.1.231 111.111.11.111 ICMP
4> I changed the preprocessor portscan2 settings...can you guys give me an idea what hey should be for my TYPE of network here are my changes:
port_limit 9, timeout 40
I am trying to get a better description of the portscan????
****My snort.conf file****
var HOME_NET $eth0_ADDRESS
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS 192.168.0.1
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000
preprocessor portscan2-ignorehosts: $DNS_SERVERS 111.111.111.111
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 3, port_limit 9, timeout 40
output database: alert, mysql, user=snort password=snort dbname=snort host=127.0.0.1
include classification.config
include reference.config
include bad-traffic.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules
include tftp.rules
include web-cgi.rules
include web-coldfusion.rules
include web-iis.rules
include web-frontpage.rules
include web-misc.rules
include web-client.rules
include web-php.rules
include sql.rules
include x11.rules
include icmp.rules
include netbios.rules
include misc.rules
include attack-responses.rules
include oracle.rules
include mysql.rules
include snmp.rules
include smtp.rules
include imap.rules
include pop3.rules
include pop2.rules
include nntp.rules
include other-ids.rules
include icmp-info.rules
include experimental.rules
include local.rules
Any help, or do you guys see something i should change to get a better description on what is going on!!! Thanks guys!!!