Snort mailing list archives
RE: Cant see alert for rule
From: "Harper, Patrick" <patrick.harper () phns com>
Date: Wed, 2 Jun 2004 15:43:56 -0500
I believe it is the switch that is the problem. do you have a hub you can test with, I do not think those have the option to set a span or monitor port. _____ From: Tom Fulton [mailto:tfulton9909 () comcast net] Sent: Wednesday, June 02, 2004 1:37 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] Cant see alert for rule 1) Snort 2.0.6 on linux 2) Three pcs: 1 2 3 w2kPC victim linux attacker linux snort box 3) I run: Snort -d -e -v -c /etc/snort/snort.conf (no errors) 4) Rule in ftp.rules <file://ftp.rules> is: Alert tcp any any -> any 21 (content: "USER administrator"; msg: "FTP administrator login attempt";) 5) When I run: ftp <IPVictim> from linux attacker, I don't get any rules fired on my snort box. 6) I have a Gigabit Linksys 5-port workgroup switch between them all Why am I not able to see the alert? Thanks! Disclaimer: This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately.
Current thread:
- Cant see alert for rule Tom Fulton (Jun 02)
- RE: Cant see alert for rule Tom Fulton (Jun 02)
- Re: Cant see alert for rule Jeff Coppock (Jun 02)
- RE: Cant see alert for rule Tom Fulton (Jun 02)
- RE: Cant see alert for rule Tom Fulton (Jun 02)
- Re: Cant see alert for rule Jeff Coppock (Jun 02)
- RE: Cant see alert for rule Tom Fulton (Jun 02)
- <Possible follow-ups>
- RE: Cant see alert for rule Harper, Patrick (Jun 02)
- Re: Cant see alert for rule SN ORT (Jun 03)
- HOME_NET question sart (Jun 03)
- RE: Cant see alert for rule Tom Fulton (Jun 03)