Snort mailing list archives
Re: alerting on local test traffic
From: Michael Boman <michael.boman () securecirt com>
Date: Tue, 18 Dec 2001 21:01:14 +0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 18 December 2001 20:35, Tim.Maletic () priority-health com wrote:
I can't get snort to alert on localhost traffic. I want to test snort on a system that is attached to a LAN, but I don't want any of my tests to traverse the LAN. My test traffic will trigger an alert when it's aimed at another system, but never when its source and destination are interfaces on the sensor. And this after a day's worth of playing around with HOME_NET, EXTERNAL_NET, the "-i" switch, and multiple dummy interfaces (per the faq). Will someone be kind enough to control their snickering, step forward, and point out the obvious command-line switch that will reverse this behavior? (Or in some other way help?) Thanks! Tim
Snort is sniffing the NIC, and if you go from local to local (even if you are using external IP's they will not go thru the NIC. Try sniffing the 'lo' interface. Best regards Michael Boman - -- Michael Boman Mobile: +65 96942601 750C Chai Chee Road Security Architect Phone : +65 243 6800 #04-01 SecureCiRT Fax : +65 441 5119 Singapore 469003 http://www.securecirt.com mailto:michael.boman () securecirt com GnuPG: FA4E C6CC B73E 320E 3349 C64F 76CE 5F40 98AB 689C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8Hz4fds5fQJiraJwRAtfCAKCQAwg5KUe/rr68GP4ojWBS/QS7fACeNXNd DGTus7EPABv8dJfW5sucr58= =0peC -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alerting on local test traffic Tim . Maletic (Dec 18)
- Re: alerting on local test traffic Michael Boman (Dec 18)