Snort mailing list archives
Re: No alerts: Good or bad
From: Adam Shephard <sfnative33 () yahoo com>
Date: Wed, 19 Feb 2003 07:40:16 -0800 (PST)
--- Erek Adams <erek () snort org> wrote:
*STOP* Do _NOT_ pass go. Do _NOT_ collect $200. Head straight to http://www.snort.org/dl/ and grab 1.9.0. There are binaries there if you need, but since the source is just './configure && make install' (for the most part) it won't be a painful thing.
Done. Debian does have 1.9.0 in their UNSTABLE distribution so switching to it is not big deal.
*gack* I'm sorry you are having to use a Watchguard... Damned thing gave me a nervous tick when I had to use it. ;-)
I didn't it mind it too much until I set up my own box using pf. Now, the Firebox is the bane of my existence.
Honestly, it sounds like all is good. But, it's always good to take the Electric Kool-Aid Acid Test
<snip>Depending on your HOME_NET and EXTERNAL_NET
settings, if you do see traffic you may or may not
have issues.
Try:
var HOME_NET 192.168.0.0/24 (or whatever)
var EXTERNAL_NET !$HOME_NET
</snip> That's what I've got in there. So, I figured "Cool. This should be simple." But noooooooooo. I've got the Firebox allowing a range of ports in from the address of my box running nmap. I know nmap is getting through because I can see it both on the Firebox logs and on the logs of a machine inside the network. I have snort on in sniffer mode and can see lots of traffic coming across it but none of that traffic is coming from my nmap box. I thought that perhaps it would look like traffic from the Firebox but there isn't any of that either. At first I felt like I was just paranoid and was trying to triple-check everything. Now, I'm wondering. __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- No alerts: Good or bad Adam Shephard (Feb 18)
- Re: No alerts: Good or bad Erek Adams (Feb 18)
- Re: No alerts: Good or bad Adam Shephard (Feb 19)
- Re: No alerts: Good or bad Erek Adams (Feb 19)
- Re: No alerts: Good or bad Adam Shephard (Feb 19)
- Re: No alerts: Good or bad Joerg Weber (Feb 18)
- Re: No alerts: Good or bad Erek Adams (Feb 18)