Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: No alerts: Good or bad

From: Erek Adams <erek () snort org>
Date: Wed, 19 Feb 2003 12:23:09 -0500 (EST)
On Wed, 19 Feb 2003, Adam Shephard wrote:


Done. Debian does have 1.9.0 in their UNSTABLE
distribution so switching to it is not big deal.


Good deal.  You've saved yourself some headaches down the road.  :)


I didn't it mind it too much until I set up my own box
using pf. Now, the Firebox is the bane of my
existence.


I know how you feel! :)


That's what I've got in there. So, I figured "Cool.
This should be simple." But noooooooooo.

I've got the Firebox allowing a range of ports in from
the address of my box running nmap. I know nmap is
getting through because I can see it both on the
Firebox logs and on the logs of a machine inside the
network.

I have snort on in sniffer mode and can see lots of
traffic coming across it but none of that traffic is
coming from my nmap box. I thought that perhaps it
would look like traffic from the Firebox but there
isn't any of that either.

At first I felt like I was just paranoid and was
trying to triple-check everything. Now, I'm wondering.


This Nmap box, is it inside HOME_NET or not?  Also, how are you connecting
these machines?  If you have one of those Autosensing 10/100 hubs, that's
your problem.  Check the FAQ [0] for the info on that.

You might want to get simple and enable 'ping.rules' in snort.conf.  Then
just simply ping the sensor and see if you can get an alert.

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.snort.org/docs/faq.html#6.21


-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: