Re: series of questions

[John Sage <jsage () finchhaven com>]

Succendo:

succendo wrote:

> this is prolly a really stupid user error or maybe there all
> related but here it goes.  first of all, I'm running snort on
> a linux ipmasq (or nat) server with 2 nics one (eth0) is the
> connection out, and one (eth1) is my internal lan. if I set it
> up to monitor eth1 and then do something to anger it, like a
> portscan from an internal box it reacts, but when its configured
> to watch eth0 and I attempt to anger it using a shell it doesn't
> react at all. when it is killed it says that it saw the packets
> but no alerts.


Does it respond at all to normal traffic? If you set up some generic 
rules, say, that just log *everything*, and go about your business for a 
while (email, surf...) what does snort see?

Do you have $HOME_NET set correctly?

Are you starting snort with -i eth0 in your commmand line?

And when you say you're poking eth0 from a shell, that's still on your 
internal net, isn't it?

> also I'm running it on a 486 sx with 10 megs of
> ram the bandwidth is comperable to a t1 down stream but up stream
> is only 15 kbps. is that enough horse power? thanks alot.


I don't think horsepower is the issue right now, but it may become one. 
My firewall/snort box is a Pentium 150 with 96MB ram but it's on a dialup...

...an *SX* with 10MB?

And when you say "..a t1 down stream.." do you mean going *out*?

urrmm.. I dunno. Could be dicey.


- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users