Snort mailing list archives

Re[2]: Snort logging way too much

From: Ochronus <ochronus () all hu>
Date: Sat, 14 Feb 2004 08:11:44 +0100

Actually it's not meant to be a bug report, I rather suspect that I've misconfigured the pig.


But anyway:

System arch.:  x86 (Athlon)
System: Debian unstable
Snort version: 2.1 

Preprocessors: flow, frag2, stream4:detect_scans, disable_evasion_alerts, http_inspect_servers, rpc_decode, bo, 
telnet_decode, 

rules: Many. Almost all
output plugins: postgresql
command line: -i eth0  -p  -c <config-file>         (tried without -p)
snort errors: none



The thing is that I don't understand how comes that my machine logs packets/packet flows aimed to another machines. I 
thouht it was because of snort setting promiscuous mode, yet I think a decent switch in the server hosting area (there 
are 5 machines on the switch my machine is on) should not propagate every packet to all machines. But even if so, I 
should be able to tell snort only to watch for those having their destination IP my machine's.



Thank you,
Ochronus




------------------------
We need more info, please check out the BUGS file in the doc directory 
of your Snort distro.

     -Marty

On Feb 13, 2004, at 7:25 PM, Ochronus wrote:

Hi!

I have a hosted server with a fix IP address. I set $HOME_NET to this 
address, tried turning on and off promiscuous mode, still snort logs 
many packets sent to foreing machines, even to ones hosted trivially 
at other subnets.


Given the above layout (single server, no LAN attached, fix ip), could 
you give me some hints on configuring the pig for rule-based logging 
the packets sent only TO MY machine?


Thanks in advance,
Ochronus

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort logging way too much Ochronus (Feb 13)
- Re: Snort logging way too much Martin Roesch (Feb 13)
  - Re[2]: Snort logging way too much Ochronus (Feb 13)
    - Message not available
    - Re[2]: Snort logging way too much Ochronus (Feb 15)
    - Block Israel_Guadalupe_Lopez_Mascorro . . /Administracion/Jalisco (Feb 16)
    - Message not available
    - Re: Block Matt Kettler (Feb 16)
    - Re: Block Paul Schmehl (Feb 16)
    - Re: Block Frank Knobbe (Feb 16)
    - Re: Block Paul Schmehl (Feb 16)
    - Re: Block Frank Knobbe (Feb 16)
    - Re: Block Brian (Feb 16)
    - Re: Block Matt Kettler (Feb 17)