Snort mailing list archives
AW: Snort
From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Wed, 20 Feb 2002 07:09:52 +0100
Just to shed some light into that: You can think of a multi-speed hub to contain 2 internal hubs (one for 100 and one for 10 Mb) connected via a switch. If one box is connecting with 10 and the other with 100 Mb traffic is not sent to each other except if directly addressed. If both boxes are at the same speed your configuration would have worked well. Ciao, Sandro
-----Ursprüngliche Nachricht----- Von: Scott Taylor [mailto:scottt () soccer com] Gesendet: Mittwoch, 20. Februar 2002 01:17 An: ccamp () oakcitysolutions com Cc: snort-users () lists sourceforge net Betreff: Re: [Snort-users] Snort That was it! The hub is a netgear 10/100 auto sensing hub. I'm not sure why this would affect the traffic like that but it did. Specifically its a DS104. I found an old 10baseT hub. Plugged both systems in and viola! It worked. Thanks for your time. Scott ---- Begin Original Message ---- From: "Dr. Richard W. Tibbs" <ccamp () oakcitysolutions com> Sent: Tue, 19 Feb 2002 18:36:55 -0500 To: Scott Taylor <scottt () soccer com> Subject: Re: [Snort-users] Snort Have you tried running snort on your firewall box? Are the results the same? If you have a hub with learning/bridging capability, then traffic destined to the IPs behind the firewall will never reach your snort box, even tho snort puts the NIC in promiscuous mode. Is it possible that the only traffic seen by snort in sniffer mode is true broadcast traffic? (That will definitely be seen by the snort-box, but it will probably generate no alarms.) HTH >>RWT Scott Taylor wrote:I'm running snort 1.8.3-5 on Redhat 7.1.Libpcapis 0.6.2-9. Below is showing how my sensor is located. The external ip of my firewall is x.x.x.27 and the ip on my sensor is x.x.x.223 the subnet mask from my isp is 255.255.255.0 _ |h| ISP-----DSL-------|u|-------snort-box |b|-------firewall------|Lan| - I've set my snort.conf home_net and all the variables regarding ip address's to "any". If I run snort in sniffer mode I can see traffic. If I run in NIDS mode it shows nothing in thelogs.even if I go to grc.com and do a portscan it show's nothing in /var/log/snort/alert or portscan.log . There is also a file snort- timestamp.log but it is in binary format. I'm trying to setup Snort Snarf to read the log's. When I run it it generates the page but there are no alerts. It shows it's looking in alerts and portscan.log. Here's the command I'mrunningsnort with: snort -l /var/log/snort - c /etc/snort/snort.conf -o -b -A FULL -z est How do I read what's in the snort-timestamp.log? Why is it now logging any alerts or portscans? Thanks for any help and take three drinks if your so inclined. Cheers, Scott THERE IS ONLY ONE... SOCCER.COM, The Center of the Soccer Universe http://www.soccer.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users---- End Original Message ---- THERE IS ONLY ONE... SOCCER.COM, The Center of the Soccer Universe http://www.soccer.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: Snort Poppi, Sandro (Feb 19)