Re: Log questions

[Martin Roesch <roesch () sourcefire com>]

Phil wrote:
> Martin (and everyone else)

[snip] 

> That in itself isn't a huge discovery, you probably
> know you built that into Snort. However, the
> intersting part is I cannot limit my dumps with snort
> on elxl0, but I can on ppp0. For example:
>
> snort -dv -i ppp0 not port 22
>
> Does what it's supposed to while
>
> snort -dv -i elxl0 not port 22
>
> shows TONS of packets to and from port 22

This is a pcap problem, not a snort problem.  The BPF filtering
subsystem is provided by libpcap and the issues that you're seeing are
completely at that layer.  I'd recommend contacting the tcpdump.org guys
for that one.

> Additionally, I was running snort last night and ran
> the attack scripts from a machine outside the network.
> The following got completed (the rest were either
> status 'skipped' or I got tired after an hour and
> stopped):

[snip lots o' attacks]

> But not one of them was picked up by snort. I'm
> running snort with the following options:

Did you have rules running that pick up the attacks you run?  What tool
were you running?

> /usr/local/bin/snort -A fast -i ppp0 -l
> /var/log/snortlogs -c /etc/snort/snort.c
> onf -D
>
> and I have all the default includes in snort.conf. I
> have HOME_NET set to $ppp0_ADDRESS and EXTERNAL_NET is
> set to !$HOME_NET
>
> I'm running snort Version 1.8.1-RELEASE (Build 74)
> Solaris 8 x86 MU5 (7/01)

Your config looks good to me, if you're having problems I'd suggest not
running in daemon mode until you can be sure you aren't getting any
command line error messages.

     -Marty


--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users