meu snort ta varrendo tudo..

e ae galera, eu ja instalei e configurei o snort, ta tudo ok, so que ele ta varrendo tudo, e so queria q ele olhasse a interface ppp0. alguem pode me ajudar?

uso debian 3.0 rc2
snort 2.3

posta o meu snort.conf

Citação:

---

#preprocessor portscan: $EXTERNAL_NET 4 3 portscan.log

var EXTERNAL_NET any

var HOME_NET 192.168.0.0/24

preprocessor portscan: $EXTERNAL_NET 4 3 portscan.log
# Set up the external network addresses as well. A good start may be "any"
var EXTERNAL_NET !$HOME_NET

preprocessor portscan-ignorehosts: 192.168.0.0/24

# Configure your server lists. This allows snort to only look for attacks to
# systems that have a service up. Why look for HTTP attacks if you are not
# running a web server? This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.

# List of DNS servers on your network
var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET



var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

# other variables
#
# AIM servers. AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of servers.
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH /etc/snort/rules

preprocessor flow: stats_interval 0 hash 2

preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans

preprocessor stream4_reassemble

# http_inspect: normalize and detect HTTP traffic and protocol anomalies
#
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.
preprocessor http_inspect: global iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
output log_tcpdump: tcpdump.log
preprocessor portscan-ignorehosts: 192.168.0.0/24

---

postei o principal

fico no aguardo.

var EXTERNAL_NET any

muda isso ae pra interface q vc quer q ele olhe

blz vou fazer isso agora, eu to usando esse comando pra start o snort

/usr/local/bin/snort -u snort -g snort -D -c /etc/snort/snort.conf -l /var/log/snort/


so quando do um ps aux n vejo nem um processo do snort rodando :roll:

dps da uma olhada nos artigos aki do site q tem uma artigo do snort q eu fiz pra ele nao ficar jogando tudo qto ehlixo no log.... eh uma versao antiga mas a conf deve ser a mesma

Citação:

---

Postado originalmente por 1c3_m4n

dps da uma olhada nos artigos aki do site q tem uma artigo do snort q eu fiz pra ele nao ficar jogando tudo qto ehlixo no log.... eh uma versao antiga mas a conf deve ser a mesma

---

já dei uma olhada vlw,

to com alguma duvidas, os comandos pra gerenciar, por exmplo

se eu digito snort -v -i ppp0 ele mostra em tempo real o trafico da rede, mas ao digitar

/usr/local/bin/snort -u snort -g snort -D -c /etc/snort/snort.conf -l /var/log/snort/

não me retonar nada, como eu sei se ele ta funcionando do jeito que eu quero?
pois no ps aux n mostra nada de snort

vlw pela ajuda

obrigado a todos

no ps nao ta mostrando nada????? xiiii
olha no logs dele se ele ta iniciando certinho

Citação:

---

Mar 9 15:28:48 firewall snort: Initializing daemon mode
Mar 9 15:28:48 firewall snort: PID path stat checked out ok, PID path set to /var/run/
Mar 9 15:28:48 firewall snort: Writing PID "18019" to file "/var/run//snort_eth0.pid"
Mar 9 15:28:48 firewall snort: Parsing Rules file /etc/snort/snort.conf
Mar 9 15:28:48 firewall snort: FATAL ERROR: ERROR /etc/snort/snort.conf(50): Couldn't resolve hostname ppp0

---

e agora?

EXTERNAL_NET coloca any de novo e startei, agora apareceu isso

Citação:

---

Mar 9 15:33:27 firewall snort: Writing PID "18030" to file "/var/run//snort_eth0.pid"
Mar 9 15:33:27 firewall snort: Parsing Rules file /etc/snort/snort.conf
Mar 9 15:33:27 firewall snort: ,-----------[Flow Config]----------------------
Mar 9 15:33:27 firewall snort: | Stats Interval: 0
Mar 9 15:33:27 firewall snort: | Hash Method: 2
Mar 9 15:33:27 firewall snort: | Memcap: 10485760
Mar 9 15:33:27 firewall snort: | Rows : 4099
Mar 9 15:33:27 firewall snort: | Overhead Bytes: 16400(%0.16)
Mar 9 15:33:27 firewall snort: `----------------------------------------------
Mar 9 15:33:27 firewall snort: FATAL ERROR: /etc/snort/snort.conf(293) => Unable to open the IIS Unicode Map file '/etc/snort/unicode.map'.

---

ajeitei, agora ele ta rodando blz, so falta alguem me fala qual eh o parametro no snort.conf para ele so varre a interface ppp0

putz vc ta usando modem neh, volta teu external_net pra any....

aheuhaueh deu lag aki, minha msg saiu 3h dps

baum achei meu artigo: http://www.linuxit.com.br/section-viewarticle-149.html

se vc ta iniciando ele com a opcao -i ppp0, ele soh ta varrendo essa interface

Acho legal voce por pra logar em uma base mysql e usar um snortreporter para ver as saidas fica mto mais facil

falows