"Houston I've got a problem..."
Somebody is trying to connect (break in)
to the Server&Gateway SME 6.03b via port "1412"
... PROTO=UDP SPT=1417 DPT=1412 LEN=15
(from several dial-in ips according to whois)
"1412" does not show up in all the lists I know.
(1) What significance does port 1412 have???
================================================
... and no solution...
(2) The SME logfile slowly overflows with this kind of garbage in addition to the
ubiquous DPT:135 worm-stuff so I decided to (finally) install Snort/Acid.
Using the Abe Loveless & Ari Novikoff contrib downloaded at Marari Network Solutions
(!!! THANKS GUYS !!!) everything went smooth ...
but now for the 2nd day in a row ... Acid is logging NOTHING at all !
Impressive show of "0"s in
https://mysmeserver/acid/acid_main.phpI do believe that Snort looks at nothing and not to the external ip on eth1
Checking in "/etc/e-smith/template/etc/snort/snort.conf" and "/etc/snort/snort.conf"
I get the impression it cannot look for anything in this setup
$HOME_NET is defined by localnet,myinternalip,myexternalip
and then comes
EXTERNAL_NET !$HOME_NET ...
What does SNORT look at now?
HOW CAN I MAKE IT LOOK AT MY EXTERNAL IP ?
In the current situation I'd rather not make a security mistake even if chances seem small,
Could somebody point me how to set up Snort to look at externalip ?
... sorry for the long post...
Reinhold
---------------- /etc/e-smith/template/etc/snort/snort.conf ----
#-- added for SME template --#
var HOME_NET [127.0.0.1/32,{
my %conf;
tie %conf, 'esmith::config';
my $LocalIP = db_get(\%conf, 'LocalIP');
my ($A, $B, $C, $D) = split(/\./, $LocalIP);
my $mask = "$A\.$B\.$C\.0/24";
},{$ExternalIP}/32]
#----#
# Set up the external network addresses as well.
# A good start may be "any"
#var EXTERNAL_NET any
#-- added for SME template --#
var EXTERNAL_NET !$HOME_NET
#----#
--------------------------------------------------------------------
================= /etc/snort/snort.conf============================
=========== #-- added for SME template --#
var HOME_NET [127.0.0.1/32,192.168.0.0/24,myexternalip/32]
#----#
# Set up the external network addresses as well.
# A good start may be "any"
#var EXTERNAL_NET any
#-- added for SME template --#
var EXTERNAL_NET !$HOME_NET
===================================================================