[Snort-users] Snort won't log

Dragos Ruiu dr at ...381...
Sat Sep 23 17:24:12 EDT 2000


Depending on how your masquerade/nat box is configured
it should stop the portscans from ever reaching your interior
net and thus no alarms on the interior.  Have you tried to 
look at the data in the "sniffer" mode to verify the packets 
are there?

cheers,
--dr

On Sat, 23 Sep 2000, Kevin Breit wrote:
> Hi,
> 	I installed Snort on my FreeBSD box a while ago, and I have been having
> a hard time getting Snort to log.
> 
> preprocessor portscan: 24.131.191.110/32 3 5 /var/log/snort_portscan.log
> var HOME_NET 24.131.191.110/32
> 
> The IP addresses are correct.  Snort *is not* sitting on the IP masqing box.
> It's on a FBSD box that is being masqed.  I am using the command:
> snort -D -c /usr/local/share/snort/snort.kevin
> to load Snort.  I noticed that when someone port scanned me, snort -v wasn't
> showing any of the portscan packets (I grepped for the person's IP).  However,
> when I port scanned from inside the network, it picked up the port scan.  It
> gave a false positive (it said a IIS exploit, not a port scan), but we'll figure
> that out later.
> 	Any help would be appreciated.  BTW...twistah at ...93... has been
> helping me on this.
> 	If anyone replies, please place me in the Cc: as I am not subscribed to
> this list.
> Thanks
> kevin
> -- 
> gpg key: http://www.crosswinds.net/members/~battery841/kevin_breit.gpg
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
-- 
Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net



More information about the Snort-users mailing list