Snort mailing list archives
: Configuration HELP! (understanding alerts and pro xies)
From: Jason Martin <jmartin () hhsc org>
Date: Wed, 12 Jun 2002 11:51:13 -1000
Let me follow-up on this before I get similar responses. I don't think I was very clear. x.x.90.77 is a test machine I am using to scan my x.x.90.243 machine. The proxy scan is part of the scan I am using to emulate a PROXY scan attempt. The problem is the scan was from x.x.x.77 but my logs only show the ACK of my machine responding to x.x.x.77's request SYN port scan of my machine on that port. None of the other signatures for the port scan show up, in fact the only reason this was logged was because of the traffic generated by x.x.x.243. I'm looking for someone to point out where I misconfigured my config file so that it is detecting ONLY traffic generated by x.x.x.243 even though I have it in my portscan-ignore section. I guess it's two part; why is it not detecting any external scans, and why is it not pre-processing my ignore variable. Problem in a nutshell: IDS Signatures when scans are run from x.x.x.243 are captured in Logs. ALL scans from various other tests machines against x.x.x.243 do not log. I do however see the traffic when I am running snort -dev -c snort.conf, so the interface is grabbing the packets. I think I mis-configured my config file so it doesn't know how to properly alert me. Or I'm just not making any sense and the way I'm phrasing my problem isn't coming across correctly. I hope this made things a little clearer. ~Jason Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- : Configuration HELP! (understanding alerts and pro xies) Jason Martin (Jun 12)
- Re: : Configuration HELP! (understanding alerts and proxies) Matt Kettler (Jun 12)
- Re: : Configuration HELP! (understanding alerts and proxies) Scot Scot (Jun 12)
- Re: : Configuration HELP! (understanding alerts and proxies) Matt Kettler (Jun 12)