Re: Snort/ACID only collecting info for itself, not network

From: LRW (news_at_celticbear.com)
Date: 11/10/04 

Date: 10 Nov 2004 07:43:32 -0800

Neil Cherry <njc@wolfgang.uucp> wrote in message news:<slrncp2bqh.kqq.njc@wolfgang.uucp>...
> On 9 Nov 2004 10:13:58 -0800, LRW wrote:
>
> First post twice on the same subject, within 1 hour of each message is
> a bit rude. Try more patience next time.

Sorry. I know. I posted the first time pre-maturely, without enough
information either in symptoms or what I already investigated. I would
have simply replied to my own post, except I'm using groups.google.com
for my newsreader and I don't see my own posts for hours, sometimes
even a day or so.

>
> > I have the snort conf file set with:
> >
> > var HOME_NET 192.168.1.0/24
> >
> > and at first I had it at
> >
> > var HOME_NET any
> >
> > but either way I get the same results:
> > All the alerts, all the traffic, has the IP address of the box Snort
> > is installed onto. 192.168.1.100. All data has that IP as either
>
> I think the problem you are having is that you have a network
> switch. A proper network switch keeps all traffic not destined for you
> off your network connection. A hub allow any traffic from any part of
> the network to be seen everywhere. You can either search for a hub or,
> if your switch has the capability, allow all traffic to be seen on
> your port. Most low cost switches do not have this capability.

Ah. Well, I guess that settles that, then. I really don't want to use
a hub as that leads to packet errors and inefficiency of data transfer
and the like, right?
Anyway, I really am most concerned with the traffic (attempting) to
come into the network and leaving. I don't really care what goes on
from one network PC to another, but I do if one of the network PC's
seems to be flooding tons of data out to the 'Net on a suspicious
port.

So, the proper answer to my situation would be this?
Instead of having the Snort machine on the same switch as everyone
else, have it between the switch and the DSL modem/router? Two NIC's
in it?

Here's something I don't understand about the current set-up. And
maybe it will point up a setting I have wrong or something:
The DSL router is set to forward all port 80 traffic to the Snort box,
as it's also serving as a Web server.
>From an external machine, I portscaned our public IP, but I don't see
the IP I scanned FROM as a source IP in ACID's recent alerts. Switch
or not, it should have gotten a hit directly to itself on port 80 from
that machine. Whether from a scan or just pulling up the Web pages it
serves, right? Why the heck is it not collecting the external IP?

Wait, that's not 100% true I see. I see the IP address on the remote
machine in the DESTINATION list. Receiving a "ATTACK-RESPONSES 403
Forbidden". But, shouldn't there be an entry for that IP as a SOURCE
for having sent a port 80 SYN packet at least? What about the
portscans I did from that machine?

Which makes me reiterate an original concern: When I click "portscan
events" I get the error: "PORTSCAN EVENT ERROR: No file was specified
in the $portscan_file variable."
The variable in acid_conf for $portscan_file = ""; is blank. I don't
have a portscan.log or scan.log file anywhere on my system (and that's
the only info I can find on newsgroups on the subject.) What do I put
there? Does it matter that I'm using mySQL?

Thanks for any help! Thanks for anyone's time for reading this. =)
I appreciate it!
Liam

Quantcast