[Snort-users] Snort won't log
dr at ...381...
Sat Sep 23 17:24:12 EDT 2000
Depending on how your masquerade/nat box is configured
it should stop the portscans from ever reaching your interior
net and thus no alarms on the interior. Have you tried to
look at the data in the "sniffer" mode to verify the packets
On Sat, 23 Sep 2000, Kevin Breit wrote:
> I installed Snort on my FreeBSD box a while ago, and I have been having
> a hard time getting Snort to log.
> preprocessor portscan: 220.127.116.11/32 3 5 /var/log/snort_portscan.log
> var HOME_NET 18.104.22.168/32
> The IP addresses are correct. Snort *is not* sitting on the IP masqing box.
> It's on a FBSD box that is being masqed. I am using the command:
> snort -D -c /usr/local/share/snort/snort.kevin
> to load Snort. I noticed that when someone port scanned me, snort -v wasn't
> showing any of the portscan packets (I grepped for the person's IP). However,
> when I port scanned from inside the network, it picked up the port scan. It
> gave a false positive (it said a IIS exploit, not a port scan), but we'll figure
> that out later.
> Any help would be appreciated. BTW...twistah at ...93... has been
> helping me on this.
> If anyone replies, please place me in the Cc: as I am not subscribed to
> this list.
> gpg key: http://www.crosswinds.net/members/~battery841/kevin_breit.gpg
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
Dragos Ruiu <dr at ...50...> dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net
More information about the Snort-users