Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Too little traffic being seen!

From: Adrian.Mink () pinnaclewest com
Date: Thu, 24 Apr 2003 08:40:56 -0700
The reason they are all turned on is exactly why I am posting, too
little traffic! That is also 
why I have external and internal net's set to any, I have tried setting
my internal net to
my actual subnet, but I continue to get the same set of results. Or lack
of results!

-----Original Message-----
From: John Sage [mailto:jsage () finchhaven com] 
Sent: Wednesday, April 23, 2003 5:39 PM
To: Mink, Adrian (QB8692)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Too little traffic being seen!


Adrian:

On or about Wed, Apr 23, 2003 at 02:02:28PM -0700,
Adrian.Mink () pinnaclewest com posited:

Hello,

I am running snort 2.0 on a Redhat 8.0 system using a stealth 
interface. (No IP address on eth0) It is plugged into a switch setup 
as a span port, over which is flowing a large amount of traffic. There
is another IDS plugged into the same switch, which is alerting on the
traffic. However, snort is only 
generating maybe 1-2 alerts per hour, which is WAY to low. I even took
it home (it's on a laptop) and plugged 
it in outside of my firewall on a cable connection and saw the same
thing. So, I am hoping my config is messed up
somehow, will someone take a look at it and let me know if there are

any

glaring issues? I am getting a very few alerts, 
and when I fire up ethereal I can see the raw traffic so I know the

data

is getting to the system. Help?


Why do you have $HOME_NET and $EXTERNAL_NET set to the same value,
"ANY"?


var HOME_NET any
var EXTERNAL_NET any


By any bizarre chance are the "very few alerts" those where $HOME_NET ==
$EXTERNAL_NET in the triggered rule?

Also, it looks like you've got *all* the rules turned on.

Why? Particularily why, when it's not working yet?



- John
-- 
"You are in a twisty maze of weblogs, all alike."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: