Snort mailing list archives
Re: Snort Sensors do not appear to be detecting what they should
From: Y M <snort () outlook com>
Date: Wed, 11 Mar 2015 20:25:47 +0000
From: michael.jacobi1 () navy mil To: snort-users () lists sourceforge net Date: Wed, 11 Mar 2015 18:42:41 +0000 Subject: [Snort-users] Snort Sensors do not appear to be detecting what they should I have been recently asked to start working with the Snort installation at my site (Snort 2.9.6.2, Barnyard, BASE). Based on what alerts I am seeing, I feel that the system is not detecting what is should be finding. For example the sensor that is facing my ISP has less than 20 detects in the last few days,
# Taking a very wild guess here, this may have to do with which rules and preprocessors are enabled/disabled, and preprocessor configurations. Which current rules policy are you using?
and I am seeing events on sensors that I know should be passing by other sensors but I do not see an correlation in the detects between the sensors.
# Are all the sensors configured the same? If yes then I would attempt sampling the traffic at each sensor by capturing packets and compare the traffic as there may ACL's at each hop, TTLs, etc.
I have had prior IDS experience, but I just started attempting to work with Snort. I would appreciate what help you can give me to work to making this system more functional. Pointers to FAQs and other online resources are always helpful. Thanks! Mike Jacobi ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Sensors do not appear to be detecting what they should Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 (Mar 11)
- Re: Snort Sensors do not appear to be detecting what they should Y M (Mar 11)