[Snort-users] Snort not logging on FreeBSD

Stuart Larson bouche at ...375...
Mon Mar 26 15:03:07 EST 2001


> 1) Are you on a switched network, or a non-broadcasting network?
> 2) Run snort -v.  Are you seeing traffic to and from machines other then
> the one Snort is running on?

Ocasionally yes.  Is it my understanding that this is good?  I want to use
snort as an intrusion detection layer for my own system and my internal
network, and I don't really care if I see anybody else.  When I run snort -v
I see all KINDS of traffic, so it's obvious that it's seeing traffic on the
interface (and internal traffic isn't such that it would make that much
traffic, so I know it's running on the external interface).  As far as the
first question, I am connected to a switched network that allows broadcast
(it is primarily a windows9x/2000 populated network, so a lot of people
share files and stuff).

> 3) Is there anything special about the target machine in the scan that
> did register?  Perhaps it's physical location with respect to other
> machines you tried?

It's location is the same in that it is external to my machine, other than
that, I think it was on the same subnet as I, but I could be wrong.  The
scan it caught was about "Many small fragments from 10.0.0.2" a TON of times
in the log.  That was the only message it recorded.  So... it caught the one
scan going OUT, but nothing coming in...

> 4) Are you using the latest version of libpcap, which supports
> monitoring multiple interfaces with a single instance of Snort via the
> "-i any" switch?  If not, then you are probably just monitoring your
> first interface.  The other option is to run two instances of Snort -
> one on each interface.

Yes, or I assume so.  The version included in the FreeBSD source (latest
CVSup was a week ago) is 0.5.


Hopefully that gave a little better info about what's going on...

>
> This is a start - hope it helps.
>
> -Joe M.
>
> --
> |   Joe McAlerney     joey at ...155...   |
> | Silicon Defense - Technical Support for Snort |
> |       http://www.silicondefense.com/          |
> +--                                           --+
>
> Stuart Larson wrote:
> >
> > Maybe I live in a quiet corner of the net, but it doesn't seem
> like Snort is
> > logging anything.  I'm on a FreeBSD system and I'm using
> version snort-1.7
> > from ports.  I downloaded the vision.conf rulseset and made only minor
> > changes to it (I changed INTERNAL to "var INTERNAL 10.0.0.0/24"
> and EXTERNAL
> > to "var EXTERNAL !10.0.0.0/24" -- I have two interfaces.  dc0
> is external
> > and is given an IP address by DHCP.  dc1 is internal and has a
> 10.0.0.0/24
> > address space (it's 10.0.0.1).  I call snort with:
> >
> >     /usr/local/bin/snort -Dde -A full -c
> /usr/local/share/snort/vision.conf
> >
> > The ONLY time I've seen snort log ANYTHING was when I did a
> nessus scan of
> > another computer on our school network.  That was the one time I've seen
> > logging.  I've done other nessus scans of other computers on
> the network,
> > and have not seen any logging from those scans.





More information about the Snort-users mailing list