Snort mailing list archives

hELP IN FILTERING

From: "Gerardo Gregory" <ggregory () affinitas net>
Date: Wed, 8 Aug 2001 13:45:50 -0500

I am trying to find info that can show me examples on hoe to filter internal
traffic like web requests that originate internally, MAC broadcasts etc.

Got snort working great, but it is grabing everything in sight, at this rate
I can fill my hard drive in a 24 hour period.

Thanks in Advance,

Gerardo Gregory [ARIN HANDLE : GG558-ARIN]
Network Engineer
Affinitas, Corp.
ASN-AFFINITAS [ARIN ASN]
1015 N. 98th St Suite 100
Omaha, NE 68114
402-970-1463 (Direct)
402-397-7576 (Fax)
E-mail : ggregory () affinitas net
www.affinitas.net
CCNA Certified

----- Original Message -----
From: "Martin Roesch" <roesch () sourcefire com>
To: <andrew.cogger () innovonics com au>
Cc: <snort-users () sourceforge net>
Sent: Wednesday, August 08, 2001 12:59 PM
Subject: Re: [Snort-users] Snort 1.81Beta6 build 64 broken stream4?

Andrew Cogger wrote:


G'day,

Updated from 1.81beta5 build 59 to 1.81beta6 build 60 (and then 64),

only to find snort died overnight. Also, although snort is going mad logging
http scans from CoderedII infected machines, snort is no longer capturing
alerts aimed at our web site, which up until beta6 were being captured fine.
Even telneting into our web site and typing in content strings which should
be triggering alerts caused none to be logged.

Could there be a prob with the stream plugin??


Shouldn't be, the packets are passed through the detection engine as
each one arrives, in the case of telnetting in and typing something that
packet should go thru the detection engine normally and set it off.
Sounds like you've got a config problem.  Try stealth scanning yourself
or doing an nmap fingerprint scan and see if they show up.  If they
don't then you've definitely got a configuration problem.  Is the rule
you're trying to trigger turned on?  Are your HOME_NET and EXTERNAL_NET
variables set properly?  Does your EXTERNAL_NET variable setting allow
you to detect events from your local network?

Could you tell us the command line switches and config you're using?
How about a backtrace of the crash?

System - redhat 7.1, snort beta6 build 64, logging to mysql.

Anyone else had problems with beta6?


Running fine here.

Also....anyone know where I can get beta5build59 source from (sheepish

grin).....


http://www.snort.org/files/snort-1.8.1-beta5.tar.gz


    -Marty


--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort 1.81Beta6 build 64 broken stream4? Andrew Cogger (Aug 08)
- Re: Snort 1.81Beta6 build 64 broken stream4? Jason A. Haynes (Aug 08)
- Re: Snort 1.81Beta6 build 64 broken stream4? Martin Roesch (Aug 08)
  - hELP IN FILTERING Gerardo Gregory (Aug 08)