Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Not sure I'm seeing all traffic

From: "John Creegan" <jcreegan () questarweb com>
Date: Tue, 29 Mar 2005 08:53:01 -0600
Hi, everyone...

Basics:
Snort.2.3.2, base 1.0.2
I've read Snort 2.0 Intrusion Detection (Syngress)
Intrusion Detection with Snort (Sams)
Intrusion Detection with Snort (Rehman)
And thousands of emails from the users group.

I've got my sniffing interface in promiscuous mode on a mirrored port.  The source port is the one my perimeter 
firewall is plugged into.  I'm thinking that this means that my sniffing interface *should* be seeing all traffic going 
out of the firewall *and* all traffic that the firewall is passing in.  My first question is:
     Is that correct?

I'm running two snort instances on the same box.  One for logging, one for alerting.  I'm attempting to verify that the 
alerting instance is catching everything.  No matter how much I read on the differences between the alert and log 
facilities I've remained confused as to how logging works.  Alerting is easy...say something when a rule is violated.  
Logging also seems affected by the rules (as in when I comment one out the logging instance no longer reports it 
either).  My second question is:
     Why is that?

The "-z est" argument has always troubled me.  I know it's there (thanks, Marty) to defeat stick attacks, but the 
argument "-z est" has never worked.  At least older versions of snort wouldn't start with that in the command line.  
"-z" has, so for the past three years I've never known whether I really am looking at only established traffic or not.  
And when looking for chat rule violations I don't know whether I should be...especially with the newer 
"flow:established" criteria written at the rule level.  My third (and final) question is:
     Does anyone know of more resources than I've read that can help me to understand all this better?

I'll appreciate any (positive) suggestions anyone cares to provide.  Thanks!





This message (including any attachments) contains confidential
information intended for a specific individual and purpose,
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any
disclosure,copying, or distribution of this message, or the taking
of any action based on it, is strictly prohibited.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: