March 21st, 2003, 12:53 AM
Optimized Settings for SNORT---Help?
I just installed snort-1.9.1 on my firewall machine. Here is my network setup
Internet---->Firewall(snort)------>LAN(2 windows 2000 'puter)
Firewall=Redhat7.3(2.4.20)running "IPTABLES default policy set to DROP" also a DNS server for my LAN.
eth0=Internet IP(22.214.171.124) Chnages sometimes(dynamic)
I need help to optimize my settings (im using the ruleset form snort.org):
1>I get falses like crazy as seeing an "syn-ack scan" whenever a client opens a webpage with lots of embedded images or something.First i was getting it from my own IPADDRESS but then i added eth0_ADDRESS to the preprocessor portscan2 ignorehost line but then NO portscans logged soo i have to put in my internet ip address on the ignorehost line soo everytime my IP address cvhanges i have to edit the file but it dows work for now ANY OTHER IDEAS for this? Here is some of the webtraffic im trying to STOP:
#0-(2-324) [snort] (spp_portscan2) Portscan detected from 126.96.36.199: 1 targets 10 ports in 1 seconds 2003-03-20 15:07:06 188.8.131.52:80 184.108.40.206:4114 TCP
How can i fix the SETTINGS to stop all this webtraffic???
2>preprocessor portscan2 doesnt LOG traffic to my ACID alert under PORTSCAN it logs to TCP.I have even changed the output pluggin to "ALERT" but still nothing?
#1-(2-323) [snort] (spp_portscan2) Portscan detected from 220.127.116.11: 1 targets 10 ports in 1 seconds 2003-03-20 15:06:03 18.104.22.168:80 22.214.171.124:4026
3>I want to create a rule soo i dont get alerted when this IP address pings my machine cause its an IP of my ISP server! Can someone give me an example of what this rule would look like and where to put it?
#20-(2-20) [snort] ICMP Destination Unreachable (Port Unreachable) 2003-03-19 22:16:49 126.96.36.199 188.8.131.52 ICMP
4> I changed the preprocessor portscan2 settings...can you guys give me an idea what hey should be for my TYPE of network here are my changes:
port_limit 9, timeout 40
I am trying to get a better description of the portscan????
****My snort.conf file****
var HOME_NET $eth0_ADDRESS
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS 192.168.0.1
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [184.108.40.206/24,220.127.116.11/24,18.104.22.168/24,22.214.171.124/24,126.96.36.199/24,188.8.131.52/24,184.108.40.206/24,220.127.116.11/24,18.104.22.168/24]
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000
preprocessor portscan2-ignorehosts: $DNS_SERVERS 22.214.171.124
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 3, port_limit 9, timeout 40
output database: alert, mysql, user=snort password=snort dbname=snort host=127.0.0.1
Any help, or do you guys see something i should change to get a better description on what is going on!!! Thanks guys!!!
March 21st, 2003, 02:34 AM
I was looking around and found this: http://www.fidelissec.com/snortran.html .. It looks neat and it might help.