[Dshield] For those that want to see what a Snort Sensor can see

Al Reust areust at comcast.net
Thu Apr 8 02:23:32 GMT 2004


Hello All

I have been working on upgrading my IDS's to Snort 2.1.1 and previously 
posted that I have mix that works. PHP/MYSQL/Acid console. This covers 5 
active sensors in DMZ's and various test sensors to see what happens when 
you have to upgrade the Snort or the support files. Any way you look at it, 
it is an added pain in the butt..

This is on a Win Box (2K Pro) using DHCP on a "public" network (comcast). I 
have not modified the basic rule sets from 3/24/2004, so you will see what 
comes out of the box. Yes it reports differently than previously seen. New 
definitions of false positives. Just call it progress...

Yes, IIS is fairly locked down and the box is patched.. I do not expect it 
to be toppled.. I did want people to get a chance to look and see what can 
be seen. I do not expect an attack to see if you can topple it.. I expect 
to see what happens when a box is put in a "public" network. That is why I 
opened the invitation to go look. Until you see you never know.

Typically, I would have the box doing "things" that could stress the CPU, 
so if a hundred people hit it that I would expect that would be sluggish. 
This does not mention what "they" feel as "user" network should do 
"outbound."  If you take time to go look, please Do Not delete any alerts.. 
I do want to see what is happening.

It is a PIII 550 with 384meg of RAM. The Ram utilization are at about 75%

I will take it down Monday 12 April 2004 in the morning.

If you want to look the URL is

http://67.160.116.3/acid/acid_main.php

Username: visitor
Password: L00k at meplz ; Lzerozerok at meplz

This has been running here for about three+ hours 4:00pm PDT

Otherwise, Have Fun

If you have detailed questions please send off list. Yes the build document 
is being revised, it is a "living" thing with all the updates...

One of the IPs that you will see is 67.161.81.163 that hosts my Dynamic 
DNS, yes it gets attacked as it has IIS and FTP. See previous emails, on 
home networking. Yes I have 11 machines behind the firewall..No I do not 
have an MTA running..  Linksys support "sucks" so I bought a NetGear that 
works.

R/

Al




More information about the list mailing list