RE: Snort and TCP Traffic

["Harper, Patrick" <patrick.harper () phns com>]

Are you just seeing arp and broadcast? If so you are most likely on just
a standard switch port 


Patrick S. Harper | CISSP RHCT MCSE
Information Security Engineer
patrick.harper () phns com 


-----Original Message-----
From: Keith W. McCammon [mailto:mccammon () gmail com] 
Sent: Thursday, July 22, 2004 1:24 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort and TCP Traffic

Not picking it up and not having it show up someplace else (a reporting
tool) may be two entirely different issues.  Unless you've used BPF or
the like to dismiss TCP traffic, it's highly unlikely that Snort is 1)
running and analyzing traffic AND 2) simply ignoring the TCP stuff.

Are you using any type of BPF filters?

Are you seeing events generated by IP, ICMP, UDP, etc.?

Perhaps you should try starting Snort from the command line, with
minimal options, binary logging, etc. and see what it picks up.  The
suggestion that it could be picking up everything *but* TCP  (unless
configured to do so) is hard to swallow.  Unless configured otherwise,
the capture function is pretty much all or nothing--not "some."

On Thu, 22 Jul 2004 14:53:09 +0100, David Keogh
<david.keogh () capetechnologies com> wrote:
> Can anyone give me some advice on snort not picking up any TCP
traffic?
> i'm pretty sure i have everything configured properly, like 
> preprocessors enabled i just can't seem to see any TCP traffic when 
> viewed through ACID (Using snort, snortcentre, acid... on sentinix) 
> Regards David
>
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java 
> Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java
Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended 
recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by 
applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have 
received this message in error, please delete it and notify the sender immediately. 





-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users