[Sysadmins] [Sysadmins Snort и его настройки .]

[бОДТіК рТЕДЛП]

> Message: 2
> Date: Fri, 5 May 2006 17:07:05 +0300
> From: "Dmitriy L. Kruglikov" <Dmitriy.Kruglikov на orionagro.com.ua>
> Subject: Re: [Sysadmins] [Sysadmins Snort и его настройки.]
> To: sysadmins на lists.altlinux.org
> Message-ID: <20060505170705.4945f065 на shadow.orionagro.com.ua>
> Content-Type: text/plain; charset=KOI8-R
> 
> On Fri, 05 May 2006 16:48:10 +0400
> andrewnbg wrote:
> 
> > [root на ser mysql]# /etc/rc.d/init.d/snortd status
> > snort is stopped
> Поприбивай процессы...
> Потом /etc/rc.d/init.d/snortd start
> И посмотри опять ...
> 
 
Попробовал ... результат тот же.

Может не правильно сконфигурирован snort.conf?
Вот мои настройки:
192.168.0.0.24 - внутренняя сеть
192.168.1.0.24 - городская сеть с выходом в инет.

var HOME_NET [192.168.0.0/24,192.168.1.0/24]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var ORACLE_PORTS 1521


var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.1
88.9.0/24]

var RULE_PATH /etc/snort

# Configure the snort decoder
preprocessor frag2

preprocessor stream4: disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all \
    ports { 80 8080 }


# are actually running this type of service. If not, change the ports or turn

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor telnet_decode
output database: log, mysql, user=andrew password=west72rn dbname=snort host=localhost

include classification.config

include reference.config

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include threshold.conf