[Snort-users] Snort not logging on FreeBSD
bouche at ...375...
Mon Mar 26 15:03:07 EST 2001
> 1) Are you on a switched network, or a non-broadcasting network?
> 2) Run snort -v. Are you seeing traffic to and from machines other then
> the one Snort is running on?
Ocasionally yes. Is it my understanding that this is good? I want to use
snort as an intrusion detection layer for my own system and my internal
network, and I don't really care if I see anybody else. When I run snort -v
I see all KINDS of traffic, so it's obvious that it's seeing traffic on the
interface (and internal traffic isn't such that it would make that much
traffic, so I know it's running on the external interface). As far as the
first question, I am connected to a switched network that allows broadcast
(it is primarily a windows9x/2000 populated network, so a lot of people
share files and stuff).
> 3) Is there anything special about the target machine in the scan that
> did register? Perhaps it's physical location with respect to other
> machines you tried?
It's location is the same in that it is external to my machine, other than
that, I think it was on the same subnet as I, but I could be wrong. The
scan it caught was about "Many small fragments from 10.0.0.2" a TON of times
in the log. That was the only message it recorded. So... it caught the one
scan going OUT, but nothing coming in...
> 4) Are you using the latest version of libpcap, which supports
> monitoring multiple interfaces with a single instance of Snort via the
> "-i any" switch? If not, then you are probably just monitoring your
> first interface. The other option is to run two instances of Snort -
> one on each interface.
Yes, or I assume so. The version included in the FreeBSD source (latest
CVSup was a week ago) is 0.5.
Hopefully that gave a little better info about what's going on...
> This is a start - hope it helps.
> -Joe M.
> | Joe McAlerney joey at ...155... |
> | Silicon Defense - Technical Support for Snort |
> | http://www.silicondefense.com/ |
> +-- --+
> Stuart Larson wrote:
> > Maybe I live in a quiet corner of the net, but it doesn't seem
> like Snort is
> > logging anything. I'm on a FreeBSD system and I'm using
> version snort-1.7
> > from ports. I downloaded the vision.conf rulseset and made only minor
> > changes to it (I changed INTERNAL to "var INTERNAL 10.0.0.0/24"
> and EXTERNAL
> > to "var EXTERNAL !10.0.0.0/24" -- I have two interfaces. dc0
> is external
> > and is given an IP address by DHCP. dc1 is internal and has a
> > address space (it's 10.0.0.1). I call snort with:
> > /usr/local/bin/snort -Dde -A full -c
> > The ONLY time I've seen snort log ANYTHING was when I did a
> nessus scan of
> > another computer on our school network. That was the one time I've seen
> > logging. I've done other nessus scans of other computers on
> the network,
> > and have not seen any logging from those scans.
More information about the Snort-users