![snort logo](/images/snort-logo.png)
Snort mailing list archives
hELP IN FILTERING
From: "Gerardo Gregory" <ggregory () affinitas net>
Date: Wed, 8 Aug 2001 13:45:50 -0500
I am trying to find info that can show me examples on hoe to filter internal traffic like web requests that originate internally, MAC broadcasts etc. Got snort working great, but it is grabing everything in sight, at this rate I can fill my hard drive in a 24 hour period. Thanks in Advance, Gerardo Gregory [ARIN HANDLE : GG558-ARIN] Network Engineer Affinitas, Corp. ASN-AFFINITAS [ARIN ASN] 1015 N. 98th St Suite 100 Omaha, NE 68114 402-970-1463 (Direct) 402-397-7576 (Fax) E-mail : ggregory () affinitas net www.affinitas.net CCNA Certified ----- Original Message ----- From: "Martin Roesch" <roesch () sourcefire com> To: <andrew.cogger () innovonics com au> Cc: <snort-users () sourceforge net> Sent: Wednesday, August 08, 2001 12:59 PM Subject: Re: [Snort-users] Snort 1.81Beta6 build 64 broken stream4?
Andrew Cogger wrote:G'day, Updated from 1.81beta5 build 59 to 1.81beta6 build 60 (and then 64),
only to find snort died overnight. Also, although snort is going mad logging http scans from CoderedII infected machines, snort is no longer capturing alerts aimed at our web site, which up until beta6 were being captured fine. Even telneting into our web site and typing in content strings which should be triggering alerts caused none to be logged.
Could there be a prob with the stream plugin??Shouldn't be, the packets are passed through the detection engine as each one arrives, in the case of telnetting in and typing something that packet should go thru the detection engine normally and set it off. Sounds like you've got a config problem. Try stealth scanning yourself or doing an nmap fingerprint scan and see if they show up. If they don't then you've definitely got a configuration problem. Is the rule you're trying to trigger turned on? Are your HOME_NET and EXTERNAL_NET variables set properly? Does your EXTERNAL_NET variable setting allow you to detect events from your local network? Could you tell us the command line switches and config you're using? How about a backtrace of the crash?System - redhat 7.1, snort beta6 build 64, logging to mysql. Anyone else had problems with beta6?Running fine here.Also....anyone know where I can get beta5build59 source from (sheepish
grin).....
http://www.snort.org/files/snort-1.8.1-beta5.tar.gz -Marty -- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 1.81Beta6 build 64 broken stream4? Andrew Cogger (Aug 08)
- Re: Snort 1.81Beta6 build 64 broken stream4? Jason A. Haynes (Aug 08)
- Re: Snort 1.81Beta6 build 64 broken stream4? Martin Roesch (Aug 08)
- hELP IN FILTERING Gerardo Gregory (Aug 08)