Snort mailing list archives
RE: Snort and TCP Traffic
From: "Harper, Patrick" <patrick.harper () phns com>
Date: Thu, 22 Jul 2004 17:56:01 -0500
Are you just seeing arp and broadcast? If so you are most likely on just a standard switch port Patrick S. Harper | CISSP RHCT MCSE Information Security Engineer patrick.harper () phns com -----Original Message----- From: Keith W. McCammon [mailto:mccammon () gmail com] Sent: Thursday, July 22, 2004 1:24 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort and TCP Traffic Not picking it up and not having it show up someplace else (a reporting tool) may be two entirely different issues. Unless you've used BPF or the like to dismiss TCP traffic, it's highly unlikely that Snort is 1) running and analyzing traffic AND 2) simply ignoring the TCP stuff. Are you using any type of BPF filters? Are you seeing events generated by IP, ICMP, UDP, etc.? Perhaps you should try starting Snort from the command line, with minimal options, binary logging, etc. and see what it picks up. The suggestion that it could be picking up everything *but* TCP (unless configured to do so) is hard to swallow. Unless configured otherwise, the capture function is pretty much all or nothing--not "some." On Thu, 22 Jul 2004 14:53:09 +0100, David Keogh <david.keogh () capetechnologies com> wrote:
Can anyone give me some advice on snort not picking up any TCP
traffic?
i'm pretty sure i have everything configured properly, like preprocessors enabled i just can't seem to see any TCP traffic when viewed through ACID (Using snort, snortcentre, acid... on sentinix) Regards David ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Disclaimer: This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21&alloc_id040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and TCP Traffic David Keogh (Jul 22)
- Re: Snort and TCP Traffic Keith W. McCammon (Jul 22)
- <Possible follow-ups>
- RE: Snort and TCP Traffic Harper, Patrick (Jul 22)