Snort mailing list archives

Re: Cant see alert for rule

From: SN ORT <snort_on_acid () yahoo com>
Date: Thu, 3 Jun 2004 07:56:01 -0700 (PDT)

What about applying an interface to the snort command
line you used, such as: 

snort -d -e -v -c -i eth1 ...etc

Please submit any messages to any newsgroup in TEXT
FORMAT only!

Cheese!

Marc

--__--__--

Message: 1
From: "Tom Fulton" <tfulton9909 () comcast net>
To: <Snort-users () lists sourceforge net>
Date: Wed, 2 Jun 2004 12:36:30 -0700
Subject: [Snort-users] Cant see alert for rule

This is a multi-part message in MIME format.

------=_NextPart_000_0032_01C4489E.3B536410
Content-Type: text/plain;
      charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

1)
Snort 2.0.6 on linux


2)
Three pcs:
  1                   2                       3
w2kPC victim          linux attacker                
  linux snort box


3)
I run:
Snort -d -e -v -c /etc/snort/snort.conf     (no
errors)


4)
Rule in ftp.rules is:
Alert tcp any any -> any 21 (content: "USER
administrator"; msg: "FTP
administrator login attempt";)=20


5)
When I run: ftp <IPVictim>  from linux attacker, I
don't get any rules =
fired
on my snort box.


6)
I have a Gigabit Linksys 5-port workgroup switch
between them all


Why am I not able to see the alert?

Thanks!




        
                
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/ 


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the one

installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Cant see alert for rule Tom Fulton (Jun 02)
- RE: Cant see alert for rule Tom Fulton (Jun 02)
  - Re: Cant see alert for rule Jeff Coppock (Jun 02)
    - RE: Cant see alert for rule Tom Fulton (Jun 02)
    - RE: Cant see alert for rule Tom Fulton (Jun 02)
- <Possible follow-ups>
- RE: Cant see alert for rule Harper, Patrick (Jun 02)
- Re: Cant see alert for rule SN ORT (Jun 03)
  - HOME_NET question sart (Jun 03)
- RE: Cant see alert for rule Tom Fulton (Jun 03)