[Snort-users] Snort not detecting stuff it should be..

Bill Pennington billp at ...60...
Sat Jul 29 01:35:13 EDT 2000


If your home net is set to 192.168.1.0/24 snort only looks at packets
with the destination set to 192.168.1.0/24. You PPP address will have
some other IP address so snort will ignore packets destined for it. I am
pretty sure there is a script on the snort website that will handle this
for you.

Vitaly McLain wrote:
> 
> Hi all,
> 
> I really did not want to post to this list because I was afraid I'd be
> wasting your time too much, but I just can't seem to solve this. Probably
> something stupid (or I'm stupid. Heh.)
> 
> Anyway, on my 'router' I run Linux Slackware 7.0 (kernel 2.2.13, yes I'm
> aware of the holes). I also run snort (1.6.3 currently). The router is
> connected to the Net via dialup over a PPP connection. Except the router,
> there is one more box on my network. This means the 'router' has 3
> interfaces: ppp0 (PPP connection to the Net), eth0 (NIC leading to my
> network) and lo (standard loopback). I want snort to do what it's supposed
> to, but it just won't! Here is what I mean: no matter how I run it, or with
> which ruleset it won't detect anything. Well, that's not 100% true. It only
> detects stuff bound for 192.168.1.2 (the other box) and nothing directed
> towards my IP on the Net (which changes every time I dialup) or 192.168.1.1.
> I can portscan myself, portscan the my Internet IP, portscan off other
> boxes...nothing. Other alerts won't trigger as well. BUT if I use my router
> to scan the other box on my network, snort DOES go off and shows alerts for
> 192.168.1.2.
> 
> So, what's up!? I've tired running it on lo, ppp0 and eth0 (all at the same
> time, infact!) and STILL nothing! All I get is warnings about ICMP Unreaches
> going to 192.168.1.2. Hmm.
> 
> Here is the more or less relevant part of my snort ruleset, which was
> generated TODAY by the snort website (I have used a multide of other
> rulesets before, all had the same problem):
> 
> bizkit:/usr/local/bin# head -10 snort728
> # snort rules for 1.6.3
> 
> preprocessor minfrag: 128
> preprocessor portscan: 192.168.1.0/24 4 5 /var/log/snort/snort_portscan.log
> preprocessor portscan-ignorehosts: 207.69.188.185 207.69.188.186
> 207.69.188.187
> var HOME_NET 192.168.1.0/24
> 
> # the rules...
> 
> bizkit:/usr/local/bin#
> 
> Anyone see what I'm doing wrong? My network is all 192.168.1.x and the
> ignore-hosts are my ISP's DNS servers.
> 
> I'm puzzled on this. I've tired different approaches to running snort. I
> usually do something like:
> snort -c snort728 -D -s
> or
> snort -c snort728 -i ppp0 -D -s
> or something of the sort. Oh, and if I run snort on ppp0, run a portscan
> against it and ^C out, I see that snort picked up the portscan (insane
> ammount of TCP packets) but no alert.
> 
> Yeah, I'm doing something stupid right? :(
> 
> Sorry for the long message and THANKS IN ADVANCE for your help!
> 
> Vitaly McLain
> twistah at ...93...
> twistah on irc.openprojects.net
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 


Bill Pennington
Senior IT Manager
Rocketcash
billp at ...60...
http://www.rocketcash.com




More information about the Snort-users mailing list