Optimized Settings for SNORT---Help?
Results 1 to 2 of 2

Thread: Optimized Settings for SNORT---Help?

  1. #1

    Question Optimized Settings for SNORT---Help?

    Whats Up

    I just installed snort-1.9.1 on my firewall machine. Here is my network setup
    Internet---->Firewall(snort)------>LAN(2 windows 2000 'puter)

    Firewall=Redhat7.3(2.4.20)running "IPTABLES default policy set to DROP" also a DNS server for my LAN.
    eth0=Internet IP(111.111.111.111) Chnages sometimes(dynamic)
    eth1=Lan Interface(192.168.0.1)

    My questions:
    I need help to optimize my settings (im using the ruleset form snort.org):

    1>I get falses like crazy as seeing an "syn-ack scan" whenever a client opens a webpage with lots of embedded images or something.First i was getting it from my own IPADDRESS but then i added eth0_ADDRESS to the preprocessor portscan2 ignorehost line but then NO portscans logged soo i have to put in my internet ip address on the ignorehost line soo everytime my IP address cvhanges i have to edit the file but it dows work for now ANY OTHER IDEAS for this? Here is some of the webtraffic im trying to STOP:
    #0-(2-324) [snort] (spp_portscan2) Portscan detected from 64.4.20.24: 1 targets 10 ports in 1 seconds 2003-03-20 15:07:06 64.4.20.24:80 111.111.111.111:4114 TCP

    How can i fix the SETTINGS to stop all this webtraffic???

    2>preprocessor portscan2 doesnt LOG traffic to my ACID alert under PORTSCAN it logs to TCP.I have even changed the output pluggin to "ALERT" but still nothing?
    #1-(2-323) [snort] (spp_portscan2) Portscan detected from 64.4.20.24: 1 targets 10 ports in 1 seconds 2003-03-20 15:06:03 64.4.20.24:80 111.111.111.111:4026

    3>I want to create a rule soo i dont get alerted when this IP address pings my machine cause its an IP of my ISP server! Can someone give me an example of what this rule would look like and where to put it?
    #20-(2-20) [snort] ICMP Destination Unreachable (Port Unreachable) 2003-03-19 22:16:49 205.53.1.231 111.111.11.111 ICMP

    4> I changed the preprocessor portscan2 settings...can you guys give me an idea what hey should be for my TYPE of network here are my changes:
    port_limit 9, timeout 40

    I am trying to get a better description of the portscan????





    ****My snort.conf file****

    var HOME_NET $eth0_ADDRESS
    var EXTERNAL_NET !$HOME_NET
    var DNS_SERVERS 192.168.0.1
    var SMTP_SERVERS $HOME_NET
    var HTTP_SERVERS $HOME_NET
    var SQL_SERVERS $HOME_NET
    var TELNET_SERVERS $HOME_NET
    var HTTP_PORTS 80
    var SHELLCODE_PORTS !80
    var ORACLE_PORTS 1521
    var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
    preprocessor frag2
    preprocessor stream4: detect_scans, disable_evasion_alerts
    preprocessor stream4_reassemble
    preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
    preprocessor rpc_decode: 111 32771
    preprocessor bo: -nobrute
    preprocessor telnet_decode
    preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000
    preprocessor portscan2-ignorehosts: $DNS_SERVERS 111.111.111.111
    preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 3, port_limit 9, timeout 40
    output database: alert, mysql, user=snort password=snort dbname=snort host=127.0.0.1
    include classification.config
    include reference.config
    include bad-traffic.rules
    include exploit.rules
    include scan.rules
    include finger.rules
    include ftp.rules
    include telnet.rules
    include rpc.rules
    include rservices.rules
    include dos.rules
    include ddos.rules
    include dns.rules
    include tftp.rules
    include web-cgi.rules
    include web-coldfusion.rules
    include web-iis.rules
    include web-frontpage.rules
    include web-misc.rules
    include web-client.rules
    include web-php.rules
    include sql.rules
    include x11.rules
    include icmp.rules
    include netbios.rules
    include misc.rules
    include attack-responses.rules
    include oracle.rules
    include mysql.rules
    include snmp.rules
    include smtp.rules
    include imap.rules
    include pop3.rules
    include pop2.rules
    include nntp.rules
    include other-ids.rules
    include icmp-info.rules
    include experimental.rules
    include local.rules

    Any help, or do you guys see something i should change to get a better description on what is going on!!! Thanks guys!!!

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Hey Condoor,

    I was looking around and found this: http://www.fidelissec.com/snortran.html .. It looks neat and it might help.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •