Snort mailing list archives

Snort doesnt detect traffic.

From: <Magnus.M.Glantz () telia se>
Date: Wed, 29 May 2002 17:59:38 +0200

Hiyas,
 
I'm running Snort-1.8.6 on FreeBSD 4.5 (i386) and MySQL-current.
 
My problem is that i'm not detecting alla traffic on the network segment that Snort is connected to.
I got 4 boxes connected to a hub, one of those boxes, a mssql server is connected to another network aswell.
I'm using Snort to check for signs that box1, box2, box3 has been comprimised and are trying to
comprimise my MsSQL server aswell.
 
My MsSQL server, Snort, Box1, box2 and box3 are all on the same network/mask.
192.168.135.*
 
Will there be any problems detecting alerts? 
I noticed that you have to define a HOME_NET and EXTERNAL_NET..
But, for me, it's the same.
I defined HOME_NET to 192.168.135.0/24 and EXTERNAL_NET to Any
I've also tried to do vice versa and define 192.168.135.0/24 to both....
 
pretty ascii:
 
other net---mssql----     Hub     ----Snort
                                  |       |     |
                             box1 box2 box3
                               |         |       |
                                  Internet
 
Now, I want to detect all trafic exept that going to MsSQL.
To start off i wrote a rule to check what traffic i could see.
 
./snort -v didnt result in what i expected.. (there was not much traffic that i saw.. and it's a pretty buissy net)
 
i then made an little rule wich i included into snort.conf
 
my.rules:
alert tcp any any -> any 22 (msg:"ssh connection";)
alert tcp any any -> any 23 (msg:"telnet connection";)
alert tcp any any -> any 25 (msg"smtp connection";)
 
neither of these sorts of traffic should exist on my network..
now, i wanted to try out my new ruleset..
 
I telnet'd to my mssql server from snort and viola' i got an alert,
I telnet'd to box1, box2, box3 from snort a i got an alert,
If i telnet'd from box1, 2, 3 to Snort, i got an alert, but...
if i telnet'd from box1, box2 or box3 to the mssql server, Snort didn't detect anything..!
 
I also tried to hash off my old rules and add "alert tcp any any -> any any (msg:"tcp traffic";)
but that resultet in the same result..
 
I wonder if it might be the fact that all boxes are on the same network.. and the fact that i
don't wanna sniff for IP-adresses that isnt HOME_NET, but for traffic that is not allowed..
 
What am i doing wrong?
 
Best regards,
//Magnus
 

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort doesnt detect traffic. Magnus.M.Glantz (May 29)
- Re: Snort doesnt detect traffic. Erek Adams (May 29)
- <Possible follow-ups>
- SV: Snort doesnt detect traffic. Magnus.M.Glantz (May 30)
  - Re: SV: Snort doesnt detect traffic. Erek Adams (May 30)
- SV: SV: Snort doesnt detect traffic. Magnus.M.Glantz (May 31)
  - Re: SV: SV: Snort doesnt detect traffic. Erek Adams (May 30)