[Snort-users] Snort not detecting stuff it should be..

Bill Pennington billp at ...60...
Sat Jul 29 01:35:13 EDT 2000

If your home net is set to snort only looks at packets
with the destination set to You PPP address will have
some other IP address so snort will ignore packets destined for it. I am
pretty sure there is a script on the snort website that will handle this
for you.

Vitaly McLain wrote:
> Hi all,
> I really did not want to post to this list because I was afraid I'd be
> wasting your time too much, but I just can't seem to solve this. Probably
> something stupid (or I'm stupid. Heh.)
> Anyway, on my 'router' I run Linux Slackware 7.0 (kernel 2.2.13, yes I'm
> aware of the holes). I also run snort (1.6.3 currently). The router is
> connected to the Net via dialup over a PPP connection. Except the router,
> there is one more box on my network. This means the 'router' has 3
> interfaces: ppp0 (PPP connection to the Net), eth0 (NIC leading to my
> network) and lo (standard loopback). I want snort to do what it's supposed
> to, but it just won't! Here is what I mean: no matter how I run it, or with
> which ruleset it won't detect anything. Well, that's not 100% true. It only
> detects stuff bound for (the other box) and nothing directed
> towards my IP on the Net (which changes every time I dialup) or
> I can portscan myself, portscan the my Internet IP, portscan off other
> boxes...nothing. Other alerts won't trigger as well. BUT if I use my router
> to scan the other box on my network, snort DOES go off and shows alerts for
> So, what's up!? I've tired running it on lo, ppp0 and eth0 (all at the same
> time, infact!) and STILL nothing! All I get is warnings about ICMP Unreaches
> going to Hmm.
> Here is the more or less relevant part of my snort ruleset, which was
> generated TODAY by the snort website (I have used a multide of other
> rulesets before, all had the same problem):
> bizkit:/usr/local/bin# head -10 snort728
> # snort rules for 1.6.3
> preprocessor minfrag: 128
> preprocessor portscan: 4 5 /var/log/snort/snort_portscan.log
> preprocessor portscan-ignorehosts:
> var HOME_NET
> # the rules...
> bizkit:/usr/local/bin#
> Anyone see what I'm doing wrong? My network is all 192.168.1.x and the
> ignore-hosts are my ISP's DNS servers.
> I'm puzzled on this. I've tired different approaches to running snort. I
> usually do something like:
> snort -c snort728 -D -s
> or
> snort -c snort728 -i ppp0 -D -s
> or something of the sort. Oh, and if I run snort on ppp0, run a portscan
> against it and ^C out, I see that snort picked up the portscan (insane
> ammount of TCP packets) but no alert.
> Yeah, I'm doing something stupid right? :(
> Sorry for the long message and THANKS IN ADVANCE for your help!
> Vitaly McLain
> twistah at ...93...
> twistah on irc.openprojects.net
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users


Bill Pennington
Senior IT Manager
billp at ...60...

More information about the Snort-users mailing list