Snort mailing list archives
: Configuration HELP! (understanding alerts and pro xies)
From: Jason Martin <jmartin () hhsc org>
Date: Wed, 12 Jun 2002 11:51:13 -1000
Let me follow-up on this before I get similar responses. I don't think I was
very clear.
x.x.90.77 is a test machine I am using to scan my x.x.90.243 machine. The
proxy scan is part of the scan I am using to emulate a PROXY scan attempt.
The problem is the scan was from x.x.x.77 but my logs only show the ACK of
my machine responding to x.x.x.77's request SYN port scan of my machine on
that port. None of the other signatures for the port scan show up, in fact
the only reason this was logged was because of the traffic generated by
x.x.x.243. I'm looking for someone to point out where I misconfigured my
config file so that it is detecting ONLY traffic generated by x.x.x.243 even
though I have it in my portscan-ignore section. I guess it's two part; why
is it not detecting any external scans, and why is it not pre-processing my
ignore variable.
Problem in a nutshell:
IDS Signatures when scans are run from x.x.x.243 are captured in Logs. ALL
scans from various other tests machines against x.x.x.243 do not log. I do
however see the traffic when I am running snort -dev -c snort.conf, so the
interface is grabbing the packets. I think I mis-configured my config file
so it doesn't know how to properly alert me. Or I'm just not making any
sense and the way I'm phrasing my problem isn't coming across correctly. I
hope this made things a little clearer.
~Jason
Confidentiality Notice:
This email message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure, or distribution
is prohibited. If you are not the intended recipient, please contact
the sender by reply e-mail and destroy all copies of the original message.
_______________________________________________________________
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- : Configuration HELP! (understanding alerts and pro xies) Jason Martin (Jun 12)
- Re: : Configuration HELP! (understanding alerts and proxies) Matt Kettler (Jun 12)
- Re: : Configuration HELP! (understanding alerts and proxies) Scot Scot (Jun 12)
- Re: : Configuration HELP! (understanding alerts and proxies) Matt Kettler (Jun 12)