Re: alerting on local test traffic

[Michael Boman <michael.boman () securecirt com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 18 December 2001 20:35, Tim.Maletic () priority-health com wrote:
> I can't get snort to alert on localhost traffic.  I want to test snort on a
> system that is attached to a LAN, but I don't want any of my tests to
> traverse the LAN.  My test traffic will trigger an alert when it's aimed at
> another system, but never when its source and destination are interfaces on
> the sensor.  And this after a day's worth of playing around with HOME_NET,
> EXTERNAL_NET, the "-i" switch, and multiple dummy interfaces (per the faq).
>
> Will someone be kind enough to control their snickering, step forward, and
> point out the obvious command-line switch that will reverse this behavior?
> (Or in some other way help?)
>
> Thanks!
> Tim

Snort is sniffing the NIC, and if you go from local to local (even if you are 
using external IP's they will not go thru the NIC. Try sniffing the 'lo' 
interface.

Best regards
 Michael Boman

- -- 
Michael Boman       Mobile: +65 96942601  750C Chai Chee Road
Security Architect  Phone : +65 243 6800  #04-01
SecureCiRT          Fax   : +65 441 5119  Singapore 469003
http://www.securecirt.com mailto:michael.boman () securecirt com

GnuPG: FA4E C6CC B73E 320E 3349  C64F 76CE 5F40 98AB 689C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8Hz4fds5fQJiraJwRAtfCAKCQAwg5KUe/rr68GP4ojWBS/QS7fACeNXNd
DGTus7EPABv8dJfW5sucr58=
=0peC
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users