Snort mailing list archives

RE: Cant see alert for rule

From: "Tom Fulton" <tfulton9909 () comcast net>
Date: Wed, 2 Jun 2004 13:37:04 -0700

I pulled out my Linksys switch and put in an old 10/100 5-port workgroup
hub.  Same problem.
 
Any one have any ideas?
 
thanks

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Tom Fulton
Sent: Wednesday, June 02, 2004 12:37 PM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] Cant see alert for rule



1) 
Snort 2.0.6 on linux 


2) 
Three pcs: 
  1                     2                       3 
w2kPC victim          linux attacker                   linux snort box 


3) 
I run: 
Snort -d -e -v -c /etc/snort/snort.conf     (no errors) 


4) 
Rule in  <file://ftp.rules> ftp.rules is: 
Alert tcp any any -> any 21 (content: "USER administrator"; msg: "FTP
administrator login attempt";) 


5) 
When I run: ftp <IPVictim>  from linux attacker, I don't get any rules fired
on my snort box. 


6) 
I have a Gigabit Linksys 5-port workgroup switch between them all 


Why am I not able to see the alert? 

Thanks!

Current thread:

Cant see alert for rule Tom Fulton (Jun 02)
- RE: Cant see alert for rule Tom Fulton (Jun 02)
  - Re: Cant see alert for rule Jeff Coppock (Jun 02)
    - RE: Cant see alert for rule Tom Fulton (Jun 02)
    - RE: Cant see alert for rule Tom Fulton (Jun 02)
- <Possible follow-ups>
- RE: Cant see alert for rule Harper, Patrick (Jun 02)
- Re: Cant see alert for rule SN ORT (Jun 03)
  - HOME_NET question sart (Jun 03)
- RE: Cant see alert for rule Tom Fulton (Jun 03)