From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <andrewnbg@ukr.net>
From: "=?windows-1251?Q?=E1=CE=C4=D2=B3=CA_=F0=D2=C5=C4=CB=CF?="
	<andrewnbg@ukr.net>
To: sysadmins@lists.altlinux.org
Mime-Version: 1.0
X-Mailer: mPOP Web-Mail 2.19 advanced
X-Originating-IP: 192.168.0.25 via proxy [195.225.175.133]
In-Reply-To: <mailman.1.1146891601.11007.sysadmins@lists.altlinux.org>
Content-Type: text/plain; charset=windows-1251
Content-Transfer-Encoding: 8bit
Message-Id: <E1FcH4Y-0001wY-LR@sonic.ukr.net>
Date: Sat, 06 May 2006 10:19:26 +0300
Subject: Re: [Sysadmins]
	=?windows-1251?b?W1N5c2FkbWlucyBTbm9ydCDoIOXj7iDt4PHy?=
	=?windows-1251?b?8O7p6uggLl0=?=
X-BeenThere: sysadmins@lists.altlinux.org
X-Mailman-Version: 2.1.7
Precedence: list
Reply-To: =?windows-1251?Q?=E1=CE=C4=D2=B3=CA_=F0=D2=C5=C4=CB=CF?=
	<andrewnbg@ukr.net>,
	ALT Linux sysadmin discuss <sysadmins@lists.altlinux.org>
List-Id: ALT Linux sysadmin discuss <sysadmins.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/listinfo/sysadmins>,
	<mailto:sysadmins-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/sysadmins>
List-Post: <mailto:sysadmins@lists.altlinux.org>
List-Help: <mailto:sysadmins-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/sysadmins>,
	<mailto:sysadmins-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Sat, 06 May 2006 07:19:42 -0000
Archived-At: <http://lore.altlinux.org/sysadmins/E1FcH4Y-0001wY-LR@sonic.ukr.net/>
List-Archive: <http://lore.altlinux.org/sysadmins/>


> Message: 2
> Date: Fri, 5 May 2006 17:07:05 +0300
> From: "Dmitriy L. Kruglikov" <Dmitriy.Kruglikov@orionagro.com.ua>
> Subject: Re: [Sysadmins] [Sysadmins Snort и его настройки.]
> To: sysadmins@lists.altlinux.org
> Message-ID: <20060505170705.4945f065@shadow.orionagro.com.ua>
> Content-Type: text/plain; charset=KOI8-R
> 
> On Fri, 05 May 2006 16:48:10 +0400
> andrewnbg wrote:
> 
> > [root@ser mysql]# /etc/rc.d/init.d/snortd status
> > snort is stopped
> Поприбивай процессы...
> Потом /etc/rc.d/init.d/snortd start
> И посмотри опять ...
> 
 
Попробовал ... результат тот же.

Может не правильно сконфигурирован snort.conf?
Вот мои настройки:
192.168.0.0.24 - внутренняя сеть
192.168.1.0.24 - городская сеть с выходом в инет.

var HOME_NET [192.168.0.0/24,192.168.1.0/24]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var ORACLE_PORTS 1521


var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.1
88.9.0/24]

var RULE_PATH /etc/snort

# Configure the snort decoder
preprocessor frag2

preprocessor stream4: disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all \
    ports { 80 8080 }


# are actually running this type of service. If not, change the ports or turn

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor telnet_decode
output database: log, mysql, user=andrew password=west72rn dbname=snort host=localhost

include classification.config

include reference.config

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include threshold.conf