Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: No alerts: Good or bad

From: Erek Adams <erek () snort org>
Date: Tue, 18 Feb 2003 10:55:06 -0500 (EST)
On Tue, 18 Feb 2003, Adam Shephard wrote:


I've had Snort running on two different networks for
about a week now. Both machines are running Debian
Woody/Snort 1.8.4beta1-3/MySQL/ACID.


*STOP*  Do _NOT_ pass go.  Do _NOT_ collect $200.

Head straight to http://www.snort.org/dl/ and grab 1.9.0.  There are
binaries there if you need, but since the source is just './configure &&
make install' (for the most part) it won't be a painful thing.

I can't even begin to tell you how many bugs have been fixed since
1.8.4... You'll be doing yourself a _huge_ favor by upgrading.

Note to _ANYONE_ using a RPM, .pkg, /usr/port, etc...  Contact the
maintainer for Snort on your OS and ask them to _update_ to the current
version!


I have no alerts on either box. I tried running a
portscan using nmap both on the internal network and
from the external network. The internal scans showed
up, provided I had the HOME_NET set up as "any". The
external scans didn't show up at all but that could
just be my firewalls (OpenBSD w/pf on one net,
Watchguard Firebox on the other) doing their jobs.


*gack*  I'm sorry you are having to use a Watchguard...  Damned thing
gave me a nervous tick when I had to use it.  ;-)


So, do I assume all is well or are there other
approaches I should take in terms of testing?


Honestly, it sounds like all is good.  But, it's always good to take the
Electric Kool-Aid Acid Test [0].  With Snort running in IDS mode, start a
instance of Snort in sniffer mode by 'snort -vd -i <interface>' and then
start the scans from external and internal.  Snort should show the packets
in the sniffer mode window.  If you don't see anything, then the packets
are never reaching the box.  Depending on your HOME_NET and EXTERNAL_NET
settings, if you do see traffic you may or may not have issues.

Try:

        var HOME_NET 192.168.0.0/24   (or whatever)
        var EXTERNAL_NET !$HOME_NET

And see what you get.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     Excellent Book!  http://tinyurl.com/60lp




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: