Snort mailing list archives

RE: No incoming data

From: "Philippe Dhont (Sea-ro)" <Philippe.Dhont () searo be>
Date: Thu, 21 Nov 2002 10:51:04 +0100

Hi,
Thnx for the advice.
I did a tcpdump on my eth0 (internal) and i get a lot of data, then i do a
tcpdump on my eth1 (external) and i get almost nothing from data, only a
arp-who is... (2 lines)  But i should get lots of data because Internet and
e-mail are passing that router.
Router and firewall are 10mbit and snort is 100mbit and all of these are
connected via a new 3com HUB.
On the firewall i see lot's of traffic (i can see it on the network traffic
led).
So i don't know why i get no data on my eth1, the fault must be something
different because i don't get any data with tcpdump.
Placing of the systems is like following:


           SNORT ETH1
               |
               |
Router -------HUB-----------> firewall

Philippe Dhont 



-----Original Message-----
From: Mark Weaver [mailto:mark () npsl co uk] 
Sent: woensdag 20 november 2002 17:12
To: 'Snort-Users@Lists. Sourceforge. Net'
Subject: RE: [Snort-users] No incoming data


Assuming what you are describing is:

       snort box
           |
router ---------->  firewall

then yes, you should see the traffic from the router.  First thing, run
tcpdump on the snort box and check that you are getting traffic on the
snorted if.  Next thing, do something that should generate an alert (nmap
the firewall or something), watching for traffic.  If snort doesn't generate
an alert, then you probably have the snort configuration wrong (check
external/home) nets.

Finally, make sure you use a half-wired cable to prevent your snort box
being hax0red...

Mark

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Philippe 
Dhont (Sea-ro)
Sent: 20 November 2002 15:06
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] No incoming data

Hi all,
I have a snort system that works just fine.
It works with apache, mysql and acid and i tested it on an internal 
server. A lot of fake errors come in but hey, it works fine.
Now i moved the configuration for detection internet attacks.
I use a router and a firewall, i put a HUB between the router and the
firewall and i connected the firewall and the snort machine on the hub.
So i have a router, a hub and snort machine on one hub.
Now, because a hub is a broadcast device, i should get all the
data from the
router to the firewall also on my snort but i get notting on my snort.
Why not ? Any idea ?

Thnx,

Philippe Dhont

-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

No incoming data Philippe Dhont (Sea-ro) (Nov 20)
- RE: No incoming data Mark Weaver (Nov 20)
- Re: No incoming data Erek Adams (Nov 22)
- <Possible follow-ups>
- RE: No incoming data Philippe Dhont (Sea-ro) (Nov 21)
  - Re: No incoming data Steve Loughran (Nov 21)
    - Re: No incoming data twig les (Nov 21)
- RE: No incoming data Philippe Dhont (Sea-ro) (Nov 21)