RE: Cant see alert for rule

["Harper, Patrick" <patrick.harper () phns com>]

I believe it is the switch that is the problem.  do you have a hub you
can test with, I do not think those have the option to set a span or
monitor port.
 

  _____  

From: Tom Fulton [mailto:tfulton9909 () comcast net] 
Sent: Wednesday, June 02, 2004 1:37 PM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] Cant see alert for rule



1) 
Snort 2.0.6 on linux 


2) 
Three pcs: 
  1                     2                       3 
w2kPC victim          linux attacker                   linux snort box 


3) 
I run: 
Snort -d -e -v -c /etc/snort/snort.conf     (no errors) 


4) 
Rule in ftp.rules <file://ftp.rules>  is: 
Alert tcp any any -> any 21 (content: "USER administrator"; msg: "FTP
administrator login attempt";) 


5) 
When I run: ftp <IPVictim>  from linux attacker, I don't get any rules
fired on my snort box. 


6) 
I have a Gigabit Linksys 5-port workgroup switch between them all 


Why am I not able to see the alert? 

Thanks! 




Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended 
recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by 
applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have 
received this message in error, please delete it and notify the sender immediately.