Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problem with Snort IDS

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Sat, 12 Nov 2016 12:30:30 +0000
Hello Marcio,


Sounds like you have a network problem and not a snort related one.

You need a way to divert/span the traffic TO snort interface

or

Run snort inline so the traffic passes directly through the snort machine.


The device being in promiscuous mode doesn’t help with switched traffic (which doesn’t get copied to your snort 
interface). It just tells the interface to capture anything it sees.

In your case once the traffic is diverted/spanned it should work properly.


Hope this helps.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Marcio Demetrio Bacci <marciobacci () gmail com<mailto:marciobacci () gmail com>>
Date: Friday, November 11, 2016 at 6:59 PM
To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] Problem with Snort IDS

Hi,

I have installed a Snort server (virtual machine) as IDS on Ubuntu 14-04 LTS.

I noticed that it only monitors the traffic directed to snort itself. When I execute ping or portscan command from a 
host to another server on the network, it is not registered by snort.

It looks like the interface is not listening in promiscuous mode.

I am starting snort as follows:

/usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D


Anyone have any idea what is the problem?

Regards,

Márcio

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: