Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Need help with base

From: Kum Weng Luey <kumwengluey () gmail com>
Date: Sat, 27 Mar 2010 09:53:37 +0800
Hi Nick,

Thanks for the heads up. Yes, i am just connected to a switch port which is
not span'ed. I do see traffic from other workstations and manage to log ICMP
transactions that are not of my workstation. I would try spanning the
traffic from the port leading to my firewall and see what traffic i would be
getting.

Thank you so much for the help.

KW

On Fri, Mar 26, 2010 at 6:52 PM, Nick Moore <nmoore () sourcefire com> wrote:


KW,

What is your source of traffic? Are you plugged into a switch? If a switch
port is not SPAN'ed, you will not see interesting traffic.

You can double check your traffic source by running snort in sniffer mode
to output to your console. If you do not see workstations other than your
own using TCP/UDP connections at ports 25, 53, 80, 110, 135, 138, 139, 443,
445... you may be connected to a switch port and will only see ARP and other
broadcast traffic.

For Snort or any IDS to work well, you need a traffic Source in a shared
network medium, such as a hub, SPAN from a switch or network tap between two
network devices, e.g. a switch and a firewall.

Hope this helps.

Sent from my mobile device.

Nick Moore
Phone 708-336-9041
Email nmoore () Sourcefire com



On Mar 25, 2010, at 22:40, Kum Weng Luey <kumwengluey () gmail com> wrote:

 Hi all,


I am new to snort and currently running snort with barnyard and base. I
ran into something weird. BASE does not show TCP or UDP protocols only ICMP
is displayed. I have also went into mysql database and also noticed that
tcphdr and udphdr are not logged. Is there any reason why?

Would appreciate any help..
KW

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: