RE: snort with 2 nics - collecting only UDP data

["Tinu Patel" <tinu.patel () insignis com>]

Thanks a lot for the feedback.......i removed the extra any from the
snort.conf file......and I am using log because I am entering data into
a mysql database and using ACID as a front end.  In my snort.conf file
if I do :
 
log udp any any --> 10.10.0.0/20 any 
 
then I can see all the udp traffic, but when I do:
 
log tcp any any --> 10.10.0.0/20 any
 
then it doesn't log any data!!!!...which puzzles me coz it's the exact
same syntax but just a different protocol......
 
And I do not have a "nolog" derective in my snort.conf.....
 
Thanks
 
Tinu
 
 
-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com] 
Sent: Tuesday, November 27, 2001 1:11 PM
To: Tinu Patel
Subject: Re: [Snort-users] snort with 2 nics - collecting only UDP data
 
Note that "log" is not the same as "alert".. are you sure you're looking
the right place for your TCP packets? 

Packets matching an alert rule appear both in your alert file
(/var/log/snort/alerts by default) and your log subdirectories. Log
rules only add to the subdirectories, but do not add to the alerts file.


ie: /var/log/snort/38.219.204.96/PROTO006:2216-80 is generated by
logging 
(alert rules will also generate these in addition to an entry in alerts)
 

also, what's the extra 'any' in that rule for? 
> log tcp any any -> x.x.x.x/x any any 

I read this rule as:
log all packets which are: 
  TCP
  from any source address
  from any source port
  to x.x.x.x/x
  to any destination port
  and some stray extra 'any' that doesn't seem to belong.

Do you have a "nolog" directive in your conf? That will prevent any
logging, but still allow alert generation, which would make your rule do
nothing.

At 11:17 AM 11/27/2001, you wrote:




log tcp any any -> x.x.x.x/x any any 

 

Thanks

 

Tinu