Snort mailing list archives
Re: Snort only alert about traffic with an specific IP
From: "Berta Alcala" <berta83 () gmail com>
Date: Thu, 29 May 2008 10:01:22 +0200
Hi, I tried with this rule (only this rule, the rest were commented in snort.conf): alert tcp any any -> any any (msg:"TCP traffic";sid:1000011; rev:1;) The only alerts registered are those which have my IP (source or destination). Using Ethereal I only see traffic with my IP as source, or destination, or broadcast traffic. I can not see a ping command between two others PCs with Ethereal, neither with Snort (I attach a pcap file) I have this information in snort.conf: var HOME_NET 172.18.64.0/19 var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET Snort is installed as a Windows service with this command line: snort /SERVICE /INSTALL -dev -c c:\Snort\etc\snort.conf -l c:\Snort\log -i2 I use Windows XP+Snort 2.7+Base Jason, How can I disable checksum? 2008/5/27 Paul Schmehl <pschmehl_lists () tx rr com>:
Thousands of security professionals worldwide are using snort successfully. So, you can start with the safe assumption that the problem isn't snort. Whether or not snort alerts on traffic is entirely dependent upon two things: 1) Traffic is passing the interface that snort is listening on 2) You have snort properly configured to see that traffic. If you've convinced yourself, using Ethereal, that traffic *is* being seen on that interface, then that narrows the problem down to your configuration of snort. What have you defined $HOME_NET as? What have you defined $EXTERNAL_NET as? What rules have you enabled in snort.conf? What's your startup options for snort (what interface, where do you log, etc.)? To quickly see if snort is working at all, write a rule that looks for everything: alert ip any any -> any any (msg:"Testing for detection capability"; sid:1000001; rev:1;) Don't even bother editing sid-msg.map. All you care about is seeing that alerts are being generated. Depending upon your traffic, this could generate a ton of alerts in short order, so be prepared to shut down snort before you get overwhelmed. What are you using to view the alerts? -- Paul Schmehl As if it wasn't already obvious, my opinions are my own and not those of my employer.
Attachment:
traffic.pcap
Description:
Attachment:
snort.conf
Description:
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort only alert about traffic with an specific IP Berta Alcala (May 26)
- Re: Snort only alert about traffic with an specific IP Michael Boman (May 26)
- Re: Snort only alert about traffic with an specific IP Leon Ward (May 26)
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 27)
- Re: Snort only alert about traffic with an specific IP Jason Brvenik (May 27)
- Message not available
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 29)
- Re: Snort only alert about traffic with an specific IP Leon Ward (May 29)
- Re: Snort only alert about traffic with an specific IP Jason Brvenik (May 29)
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 30)
- Message not available
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 30)
- Message not available
- Re: Snort only alert about traffic with an specific IP Berta Alcala (Jun 02)
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 27)