[Snort-users] Snort deadly quiet in the firewall.

Matt Kettler mkettler at ...4108...
Mon Aug 12 10:49:03 EDT 2002


I see two possible problems offhand:

1) Are you sure the attack packets are even reaching the machine with 
dynamic IP? some ISP's have firewalls upstream of their users so the 
packets never reach the network. They may also do things like re-assembling 
all fragmented packets at their network boundaries, prior to transporting 
them to your network. This is saves them network wire bandwidth, at the 
cost of extra router CPU usage (few ISP's are likely to do this, but I'd 
not be surprised if some do).

2) are you sure that snort.conf's HOME_NET is being updated to match the 
changes to the dynamic IP? (changing the one on the command line is not the 
same thing).

At 12:56 AM 8/13/2002 +0800, SW wrote:
>Hello,
>
>I install snort in a network with static public IP connected to the 
>internet, it logged all scanned and frag packet.
>But when snort installed in anotehr network on a dynamic public IP 
>address, it goes silent, but sometimes do log some packet. It failed to 
>log Frag attack, and all sort of scans. The logged packet are those like 
>WEB-CGI, etc..
>I launched the same attack on both network, but the snort with static IP 
>does log the packet, while the snort with dynamic IP doesn't log the packet.
>
>Does anyone know how to track down the problem? I am using OpenBSD 3.1 
>Current.
>
>Thanks
>Sam





More information about the Snort-users mailing list