Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Not Picking up Much WHY "I am pulling out myhair"

From: esavage () digitalrage org
Date: Mon, 13 Oct 2003 16:11:52 -0400 (EDT)
I have notcie with my snort setup that in the /var/log/snort directory
there is a alert.log and snort.log. But they way the documentation tells
you to start barnyard it tells you to use the -f option which I use
pointing to the snort.log file. See how I start barnyard below.

/usr/local/bin/barnyard -D -w barn.waldo -c /etc/snort/barnyard.conf -d
/var/log/snort -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map  -f
snort.log

So is this my problem that it is only looking at the log and not at the
alert.log if so what is the proper way to get it to look at both.



I have just come across some articles stating that if you are running
snort on your firewall as I am and monitoring the external interface. It
all is setup correctly but just because of the way PF acts if you drop it
at the external firewall interface snort never see's the packet can
someone confirm this. I have seen a number of articles and email stating
that snort see's all traffic before it is ever filtered by PF and now have
come across others that say the exact opposite.

Can someone clear this up?







RE: [Snort-users] Not Picking up Much WHY "I am pulling out
myhair"




Snort is running on the firewall itself monitoring the outside interface

directly connected to the net. This is why I am amazed that it is not

picking up anything more. I have just checked it again this morning and

nothing but ICMP. And from everything I have read it says snort running

on a firewall will see every packet before pf does and before any

filtering happens.


-----Original Message-----

From: Patrick Harper [mailto:lists () internetsecurityguru com]

Sent: Sunday, October 12, 2003 9:41 PM

To: Elijah Savage

Cc: Snort-Users

Subject: Re: [Snort-users] Not Picking up Much WHY "I am pulling out

myhair"


do you have any filters set up, if Snort is behind your firewall it will

only see what makes it thorough



On Sun, 2003-10-12 at 17:23, Elijah Savage wrote:







I







I



net





tuned



traffic



doing










-------------------------------------------------------

This SF.net email is sponsored by: SF.net Giveback Program.

SourceForge.net hosts over 70,000 Open Source Projects.

See the people who have HELPED US provide better services:

Click here: http://sourceforge.net/supporters.php

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=ort-users








-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: