[Snort-users] Snort only catches one address and it doesn't exist

Trevor Cushen trevor at ...6612...
Wed Aug 14 08:21:02 EDT 2002


Hello to all,

strange one that I am hoping one of you can answer.  I have set up snort
several times but this time it's acting funny.

Running on Linux, latest version.

When the snort.conf file says go to database to was sending everything
to screen.  When run with the -D option it ran perfect as in no screen
and all to database.

But when I look in the database all the events are for one ip address. 
The strange thing is that the ip address is the right range or class for
the machines on my dmz where snort is but none of the machines have that
address and there is no NAT in place that would give that address, not
even a dhcp.
Nothing else is showing up even after sending test data that should
raise events.  All connected to a hub, no switching.  The other boxes
are NT web servers

The same config was tested fully on another site with no problems.

Any ideas???

Many thanks in advance
Trevor







More information about the Snort-users mailing list