Snort mailing list archives

RE: Help!!!

From: "Tom H" <tom () scriptsupport co uk>
Date: Fri, 1 Aug 2003 21:57:06 +0100

Hi,

I've got pretty much the same setup. I am not an expert, but I thought I
might give a few pointers based on my experience.
  I used Patrick S. Harper's install guide, Snort, Apache, PHP, MySQL, ACID
on Redhat 9.0 Installation Guide , without any problems.  Here is my
problem: When I perform a Nessus audit on a machine on my local network,
Snort does not log any intrusion detection activity.  But, when I direct the
Nessus audit directly at the box running Snort, the log files are generated
and can be viewed using Acid.  In my snort.conf file, I defined my local
network as 192.168.0.0/24, which covers a small windows environment.  BTW,
using Snort 2.0.  The Snort box is located on my local network at
192.168.0.198.  Why does it not register,log, or recognize attacks directed
at machines within its local network?  Any help will be greatly
appreciated...Thanks

 It seems that your snort set-up is not seeing the traffic to the rest of
the network. Are you using a switch? if so, make sure you have plugged you
snort box into the uplink port, or configure the port to be a 'monitor' via
the switch configuration tool, if available.

its possible that you might not have configured your network card to be in
promiscuous mode, you can check this by using the ifconfig command, and
there should be an entry 'PROMISC' for the interface that you have plugged
into the network, normally eth0.
you can modify this by going to /etc/sysconfig/network-scripts and opening
ifcfg-eth0 (or whichever is your lan interface) and adding PROMISC=yes and
then taking the interface down, and restarting it again.

the check to see whether it is seeing the traffic you can run tcpdump from a
terminal and see whether your box is actually getting the network traffic.
you could probably do
$tcpdump | grep 192.168.0.1
(or change 192.168.0.1 for a know host on your network) and you should see
packets dumped for that host

Regards,

T.

ps. im no expert on this, so correct me if I'm wrong, or there is a better
way do do those things, as I expect you will do anyway.

Current thread:

Help!!! Brandon Hanks (Aug 01)
- Re: Help!!! Patrick S. Harper - CISSP (Aug 01)
- RE: Help!!! Tom H (Aug 01)
- <Possible follow-ups>
- RE: Help!!! Schmehl, Paul L (Aug 01)
- FW: Help!!! support (Aug 01)
- FW: Help!!! support (Aug 02)
- Help!!! henrique de lima arabe - PDBL/uoi (Aug 25)
  - Re: Help!!! Matt Kettler (Aug 25)
  - Re: Help!!! Erek Adams (Aug 25)
  - Re: Help!!! Edin Dizdarevic (Aug 26)
- RE: Help!!! David (Aug 25)