Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Not logging everything

From: "Chuck Holley" <cholley () fitnessquest com>
Date: Tue, 20 Apr 2004 09:31:45 -0400
Fred, you hit the nail on the head.  I just had a revelation. Last night
when I was scanning I was getting told that it was being blocked, not
thinking at the time, I just kept doing it.  My router has access lists on
it, blocking ICMP. If it cant get past the router it certainly isn't going
to get to my switch.  Sorry for the false alarm. :)

-----Original Message-----
From: Fred Portnoy [mailto:fportnoy () mail plymouth edu] 
Sent: Tuesday, April 20, 2004 9:17 AM
To: 'Chuck Holley'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Not logging everything

Does your ISP or your router apply any filtering?
-fp

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Chuck Holley
Sent: Tuesday, April 20, 2004 8:41 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Not logging everything


This is my problem.  I have a snort box (setup using Patrick Harpers install
guide for Fedora C1) local to the switch that all of my servers reside on.
I set the switch (HP 2848) to monitor the port which is uplinked to my
router, and to mirror the traffic to the port my snort box is on.  I did a
lot of scanning last night from home using "nmap" and the "cis" scanning
tools. I wrote down the ip address that my ISP gave me, came in this morning
to see what snort had logged through ACID; and there was one alert to one of
my servers.  I pinged and scanned about 10 servers last night, and it only
got one?????  My question is, are packets being dropped at my switch or is
snort not logging properly due to some options not being specified.  If I
run nmap locally, snort pretty much gets it all, although it takes a little
while to see in ACID.

Thanks 

Chuck Holley
LAN Administrator
FitnessQuest Inc.
Canton, OH
cholley () fitnessquest com





-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: