[Snort-users] Snort config and setup Need you help - Please!

This is a multi-part message in MIME format.

------=_NextPart_000_0011_01C5875A.CBAF31F0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Hi,
Please Someone may be able to guide me in the right direction ( I am a new
bee on snort and Unix) I am not sure where I am going wrong I have Installed
Snort on a 1.3 Mhz PC with 512 RAM, and is working fine (logging traffic
towards the box and the NIC where is installed), but my problem I have is
the only traffic I can see and is getting logged is only towards the box I
have snort installed, brief setup I have is like this

I have three machines Win 2000, Win Adv serve 2003 and Fedora core 3(Snort
is installed) all have 1 NIC in them, all Connected to a hub and the hub is
connected to my Router and to my Cable Modem, I thought (but may be I am
wrong) that snort will be able to log all traffic on my tiny network as long
as I define my HOM_NET Correct. below is the short snort.conf file:

var HOME_NET 192.168.1.0/24

# Set up the external network addresses as well. A good start may be "any"
var EXTERNAL_NET any
# var EXTERNAL_NET !$HOME_NET

# Configure your server lists. This allows snort to only look for attacks
to
# systems that have a service up. Why look for HTTP attacks if you are not
# running a web server? This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.

# List of DNS servers on your network
var DNS_SERVERS [68.13.16.25,68.13.16.30]

# List of SMTP servers on your network
var SMTP_SERVERS [192.168.1.4]

# List of web servers on your network
var HTTP_SERVERS [192.168.1.4,192.168.1.100]

# List of sql servers on your network
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# List of snmp servers on your network
# var SNMP_SERVERS $HOME_NET

So with this setup is there any thing I am missing or I have a wrong
understanding on how snort setup should be? please understand I am a new
bee, so I really need your education trying to get to learn Unix.

Will really appreciate.

Thanks in advance,


Arthur A. Melvin

------=_NextPart_000_0011_01C5875A.CBAF31F0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<TITLE></TITLE>

<META content=3D"MSHTML 6.00.2800.1505" name=3DGENERATOR></HEAD>
<BODY>
<P><FONT face=3D"Courier New" size=3D2>Hi,<BR>Please Someone may be able =
to guide me=20
in the right direction ( I am a new bee on snort and Unix) I am not sure =
where I=20
am going wrong I have Installed Snort on a 1.3 Mhz PC with 512 RAM, and =
is=20
working fine (logging traffic towards the box and the NIC where is =
installed),=20
but my problem I have is the only traffic I can see and is getting =
logged is=20
only towards the box I have snort installed, brief setup I have is like=20
this<BR><BR>I have three machines Win 2000, Win Adv serve 2003 and =
Fedora core=20
3(Snort is installed) all have 1 NIC in them, all Connected to a hub and =
the hub=20
is connected to my Router and to my Cable Modem, I thought (but may be I =
am=20
wrong) that snort will be able to log all traffic on my tiny network as =
long as=20
I define my HOM_NET Correct. below is the short snort.conf =
file:<BR><BR>var=20
HOME_NET 192.168.1.0/24<BR><BR># Set up the external network addresses =
as=20
well.&nbsp; A good start may be "any"<BR><FONT color=3D#ff0000>var =
EXTERNAL_NET=20
any</FONT><BR># var EXTERNAL_NET !$HOME_NET<BR><BR># Configure your =
server=20
lists.&nbsp; This allows snort to only look for attacks to<BR># systems =
that=20
have a service up.&nbsp; Why look for HTTP attacks if you are not<BR># =
running a=20
web server?&nbsp; This allows quick filtering based on IP addresses<BR># =
These=20
configurations MUST follow the same configuration scheme as defined<BR># =
above=20
for $HOME_NET.<BR><BR># List of DNS servers on your network<BR><FONT=20
color=3D#ff0000>var DNS_SERVERS =
[68.13.16.25,68.13.16.30]</FONT><BR><BR># List of=20
SMTP servers on your network<BR><FONT color=3D#ff0000>var SMTP_SERVERS=20
[192.168.1.4]</FONT><BR><BR># List of web servers on your =
network<BR><FONT=20
color=3D#ff0000>var HTTP_SERVERS =
[192.168.1.4,192.168.1.100]<BR></FONT><BR># List=20
of sql servers on your network<BR><FONT color=3D#ff0000>var SQL_SERVERS=20
$HOME_NET</FONT><BR><BR># List of telnet servers on your =
network<BR><FONT=20
color=3D#ff0000>var TELNET_SERVERS $HOME_NET</FONT><BR><BR># List of =
snmp servers=20
on your network<BR># var SNMP_SERVERS $HOME_NET<BR><BR>So with this =
setup is=20
there any thing I am missing or I have a wrong understanding on how =
snort setup=20
should be? please understand I am a new bee, so I really need your =
education=20
trying to get to learn Unix.<BR><BR>Will really =
appreciate.<BR><BR>Thanks in=20
advance,<BR><BR><BR>Arthur A. Melvin</FONT> </P></BODY></HTML>

------=_NextPart_000_0011_01C5875A.CBAF31F0--



-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users