snort logging - snort.conf

snort logging - snort.conf

Post by xant » Thu, 04 Oct 2001 23:02:32



Because of successfull response on my previous question
I hope you can help me with the this question as well.

Snort has been installed default except for the HOME_NET parameter.

However I receive a lot of the next alert messages, which are
basically DNS/UDP requests.

Oct  3 15:42:07 systemname snort[609]:
[1:515:2] MISC source port 53 to <1024
[Classification: Potentially Bad Traffic] [Priority: 2]:
{UDP} 1.1.1.31:53 -> 2.2.2.131:53

Any idea how to reduce these amount of messages?

Regards,
Xantos N.

 
 
 

snort logging - snort.conf

Post by Dean Thompso » Thu, 04 Oct 2001 23:40:57


Hi!,

Quote:> Because of successfull response on my previous question
> I hope you can help me with the this question as well.

> Snort has been installed default except for the HOME_NET parameter.

> However I receive a lot of the next alert messages, which are
> basically DNS/UDP requests.

> Oct  3 15:42:07 systemname snort[609]:
> [1:515:2] MISC source port 53 to <1024
> [Classification: Potentially Bad Traffic] [Priority: 2]:
> {UDP} 1.1.1.31:53 -> 2.2.2.131:53

> Any idea how to reduce these amount of messages?

You should be able to modify the snort.conf rules to stop SNORT looking for
this network condition if you want.  Just find the following rule:

alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to
<1024"; flags:S; reference:arachnids,07; classtype:bad-unknown; sid:504;
rev:2;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to
<1024"; classtype:bad-unknown; sid:515; rev:2;)

And comment them out by placing a ";" in front of them.  Once you have done
that, you will need to stop snort and then restart it again.  After that, you
shouldn't be bothered by that error message again (or at least snort won't be
looking for it and raise an alert).

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

snort logging - snort.conf

Post by xant » Fri, 05 Oct 2001 20:28:16


Dean,

Thank you for answering my question. It realy cleans up my logging!

Regards,

Xantos N.

> Hi!,

> alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to
> <1024"; flags:S; reference:arachnids,07; classtype:bad-unknown; sid:504;
> rev:2;)

> alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to
> <1024"; classtype:bad-unknown; sid:515; rev:2;)

> And comment them out by placing a ";" in front of them.  Once you have done
> that, you will need to stop snort and then restart it again.  After that, you
> shouldn't be bothered by that error message again (or at least snort won't be
> looking for it and raise an alert).

> See ya

> Dean Thompson

> --
> +____________________________+____________________________________________+

> | Bach. Computing (Hons)     | ICQ     - 45191180                         |
> | PhD Student                | Office  - <Off-Campus>                     |
> | School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
> | MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
> | Melbourne, Australia       |                                            |
> +----------------------------+--------------------------------------------+

 
 
 

1. Snort is running, i scanned my computer, but nothing appears in the snort logs

i have snort running
1992 ?        S      0:19 /usr/sbin/snort -u snort -g snort -s -d -D -i
eth0 -l

i then portscanned my computer using nmap, but nothing is in /var/log/snort
but this:




when i view these files, nothing is in alert, portscan.log, and

nothing is in /var/log/messages either. I thought that when my computer gets
portscanned something would appear in portscan.log, but it is empty. Am i
doing something wrong, or are the snort logs stored somewhere else???

thanks,
jp

2. sockets inetd.conf

3. snort - box snort: ERROR: Unable to open rules file: webcgi-lib

4. emacs/smail: error while setting up child: bad file number?

5. Can't get Snort to log to /var/log/secure

6. partition problem

7. weird snort logs

8. Matrox G550 DVI

9. Snort log question

10. snort does not log to syslog

11. Snort isn't alerting/logging..

12. Logging network traffic - alternatives to snort?

13. snort logging