Snort mailing list archives

using snort without an IP Addy

From: "Frontgate Lab" <mdiwan () wagweb com>
Date: Mon, 02 Jul 2001 17:11:44 -0400



Hi all,

I am using snort with a manually defined HOME_NET and no IP Addy 
running on eth1 

I am running RH 7.1 and Snort version 1.7.1  ( the version that ships
with RedHat is 1.7.3 which segfaults.. the 1.7.1 version from
www.snort.org works quite well and is more complete.

My question is 
Why do I seem to be having no luck forcing the creation of alerts when i
nmap scan the servers on the switch where i have snort plugged in?
 It is a flat switch with no vlans.. I am trying to get IDS
notifications on any traffic on that switch. 

any help  appreciated

 my snort startup looks like this:

# Source function library.
 /etc/rc.d/init.d/functions

# Specify your network interface here
INTERFACE=eth1

# See how we were called.
case "$1" in
  start)
        echo -n "Starting snort: "
        daemon /usr/sbin/snort -u snort -g snort -s -d -D \
                -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf
        touch /var/lock/subsys/snort


While i edited the /etc/snort/snort.conf to look like this:


var HOME_NET 21X.8X.XX.XX/24 
var EXTERNAL_NET any
var DNS_SERVERS [192.XXX.XXX.XXX/32,198.6.1.1/32]

preprocessor defrag
preprocessor http_decode: 80 8080
preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS


Shouldn't this work?

Thanks :)

Madhav


Note: The information contained in this message may be privileged and confidential and protected from disclosure.  If 
the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify us immediately by 
replying to the message and deleting it from your computer.  Thank you.  Wagner Weber & Williams

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

spp_http_decode niko (Jul 02)
- Re: spp_http_decode Blake Frantz (Jul 02)
- using snort without an IP Addy Frontgate Lab (Jul 02)
  - Re: using snort without an IP Addy Blake Frantz (Jul 02)
    - Re: using snort without an IP Addy Frontgate Lab (Jul 02)
    - Re: using snort without an IP Addy Blake Frantz (Jul 02)
- Re: spp_http_decode Vitaly Osipov (Jul 03)