[Snort-users] Snort not detecting stuff it should be..
billp at ...60...
Sat Jul 29 01:35:13 EDT 2000
If your home net is set to 192.168.1.0/24 snort only looks at packets
with the destination set to 192.168.1.0/24. You PPP address will have
some other IP address so snort will ignore packets destined for it. I am
pretty sure there is a script on the snort website that will handle this
Vitaly McLain wrote:
> Hi all,
> I really did not want to post to this list because I was afraid I'd be
> wasting your time too much, but I just can't seem to solve this. Probably
> something stupid (or I'm stupid. Heh.)
> Anyway, on my 'router' I run Linux Slackware 7.0 (kernel 2.2.13, yes I'm
> aware of the holes). I also run snort (1.6.3 currently). The router is
> connected to the Net via dialup over a PPP connection. Except the router,
> there is one more box on my network. This means the 'router' has 3
> interfaces: ppp0 (PPP connection to the Net), eth0 (NIC leading to my
> network) and lo (standard loopback). I want snort to do what it's supposed
> to, but it just won't! Here is what I mean: no matter how I run it, or with
> which ruleset it won't detect anything. Well, that's not 100% true. It only
> detects stuff bound for 192.168.1.2 (the other box) and nothing directed
> towards my IP on the Net (which changes every time I dialup) or 192.168.1.1.
> I can portscan myself, portscan the my Internet IP, portscan off other
> boxes...nothing. Other alerts won't trigger as well. BUT if I use my router
> to scan the other box on my network, snort DOES go off and shows alerts for
> So, what's up!? I've tired running it on lo, ppp0 and eth0 (all at the same
> time, infact!) and STILL nothing! All I get is warnings about ICMP Unreaches
> going to 192.168.1.2. Hmm.
> Here is the more or less relevant part of my snort ruleset, which was
> generated TODAY by the snort website (I have used a multide of other
> rulesets before, all had the same problem):
> bizkit:/usr/local/bin# head -10 snort728
> # snort rules for 1.6.3
> preprocessor minfrag: 128
> preprocessor portscan: 192.168.1.0/24 4 5 /var/log/snort/snort_portscan.log
> preprocessor portscan-ignorehosts: 188.8.131.52 184.108.40.206
> var HOME_NET 192.168.1.0/24
> # the rules...
> Anyone see what I'm doing wrong? My network is all 192.168.1.x and the
> ignore-hosts are my ISP's DNS servers.
> I'm puzzled on this. I've tired different approaches to running snort. I
> usually do something like:
> snort -c snort728 -D -s
> snort -c snort728 -i ppp0 -D -s
> or something of the sort. Oh, and if I run snort on ppp0, run a portscan
> against it and ^C out, I see that snort picked up the portscan (insane
> ammount of TCP packets) but no alert.
> Yeah, I'm doing something stupid right? :(
> Sorry for the long message and THANKS IN ADVANCE for your help!
> Vitaly McLain
> twistah at ...93...
> twistah on irc.openprojects.net
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
Senior IT Manager
billp at ...60...
More information about the Snort-users