snort-users May 2008 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Snort only alert about traffic wi

Re: [Snort-users] Snort only alert about traffic with an specific IP

From: Jason Brvenik <jasonb_at_nospam>
Date: Thu May 29 2008 - 13:58:40 GMT
To: Berta Alcala <berta83@gmail.com>


Are you monitoring a span or mirror port?

Berta Alcala wrote:
> Hi,
>
> I tried with this rule (only this rule, the rest were commented in
> snort.conf):
>
> alert tcp any any -> any any (msg:"TCP traffic";sid:1000011; rev:1;)
>
> The only alerts registered are those which have my IP (source or
> destination). Using Ethereal I only see traffic with my IP as source, or
> destination, or broadcast traffic. I can not see a ping command between
> two others PCs with Ethereal, neither with Snort (I attach a pcap file)
>
> I have this information in snort.conf:
>
> var HOME_NET 172.18.64.0/19 <http://172.18.64.0/19>
> var EXTERNAL_NET any
> var DNS_SERVERS $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var SNMP_SERVERS $HOME_NET
>
> Snort is installed as a Windows service with this command line:
> snort /SERVICE /INSTALL -dev -c c:\Snort\etc\snort.conf -l c:\Snort\log -i2
>
> I use Windows XP+Snort 2.7+Base
>
> Jason, How can I disable checksum?
>
> 2008/5/27 Paul Schmehl <pschmehl_lists@tx.rr.com
> <mailto:pschmehl_lists@tx.rr.com>>:
>
>
>
>
> Thousands of security professionals worldwide are using snort
> successfully. So, you can start with the safe assumption that the
> problem isn't snort.
>
> Whether or not snort alerts on traffic is entirely dependent upon
> two things:
> 1) Traffic is passing the interface that snort is listening on
> 2) You have snort properly configured to see that traffic.
>
> If you've convinced yourself, using Ethereal, that traffic *is*
> being seen on that interface, then that narrows the problem down to
> your configuration of snort.
>
> What have you defined $HOME_NET as?
> What have you defined $EXTERNAL_NET as?
> What rules have you enabled in snort.conf?
> What's your startup options for snort (what interface, where do you
> log, etc.)?
>
> To quickly see if snort is working at all, write a rule that looks
> for everything:
>
> alert ip any any -> any any (msg:"Testing for detection capability";
> sid:1000001; rev:1;)
>
> Don't even bother editing sid-msg.map. All you care about is seeing
> that alerts are being generated. Depending upon your traffic, this
> could generate a ton of alerts in short order, so be prepared to
> shut down snort before you get overwhelmed.
>
> What are you using to view the alerts?
>
> --
> Paul Schmehl
> As if it wasn't already obvious,
> my opinions are my own and not
> those of my employer.
>
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users