Snort mailing list archives
RE: Help!!!
From: "Tom H" <tom () scriptsupport co uk>
Date: Fri, 1 Aug 2003 21:57:06 +0100
Hi, I've got pretty much the same setup. I am not an expert, but I thought I might give a few pointers based on my experience. I used Patrick S. Harper's install guide, Snort, Apache, PHP, MySQL, ACID on Redhat 9.0 Installation Guide , without any problems. Here is my problem: When I perform a Nessus audit on a machine on my local network, Snort does not log any intrusion detection activity. But, when I direct the Nessus audit directly at the box running Snort, the log files are generated and can be viewed using Acid. In my snort.conf file, I defined my local network as 192.168.0.0/24, which covers a small windows environment. BTW, using Snort 2.0. The Snort box is located on my local network at 192.168.0.198. Why does it not register,log, or recognize attacks directed at machines within its local network? Any help will be greatly appreciated...Thanks It seems that your snort set-up is not seeing the traffic to the rest of the network. Are you using a switch? if so, make sure you have plugged you snort box into the uplink port, or configure the port to be a 'monitor' via the switch configuration tool, if available. its possible that you might not have configured your network card to be in promiscuous mode, you can check this by using the ifconfig command, and there should be an entry 'PROMISC' for the interface that you have plugged into the network, normally eth0. you can modify this by going to /etc/sysconfig/network-scripts and opening ifcfg-eth0 (or whichever is your lan interface) and adding PROMISC=yes and then taking the interface down, and restarting it again. the check to see whether it is seeing the traffic you can run tcpdump from a terminal and see whether your box is actually getting the network traffic. you could probably do $tcpdump | grep 192.168.0.1 (or change 192.168.0.1 for a know host on your network) and you should see packets dumped for that host Regards, T. ps. im no expert on this, so correct me if I'm wrong, or there is a better way do do those things, as I expect you will do anyway.
Current thread:
- Help!!! Brandon Hanks (Aug 01)
- Re: Help!!! Patrick S. Harper - CISSP (Aug 01)
- RE: Help!!! Tom H (Aug 01)
- <Possible follow-ups>
- RE: Help!!! Schmehl, Paul L (Aug 01)
- FW: Help!!! support (Aug 01)
- FW: Help!!! support (Aug 02)
- Help!!! henrique de lima arabe - PDBL/uoi (Aug 25)
- Re: Help!!! Matt Kettler (Aug 25)
- Re: Help!!! Erek Adams (Aug 25)
- Re: Help!!! Edin Dizdarevic (Aug 26)
- RE: Help!!! David (Aug 25)