[Snort-users] Help me friends

skaushik at ...7706... skaushik at ...7706...
Mon Dec 9 08:51:44 EST 2002


Dear Friends,

I have been trying to use the snort 1.9.0 by creating my own rules.

though i succeeded in implementing that with few simple rules but iam not able to use it with all its features.

For example:

I wanted to implement the flexresp feature, so i downloaded the libnet 1.0 and reconfigured the snort with the flexresp support but when I implemented the rule it says the keyword in the rules file is invalid.

The same error i faced when using the portscan feature in my rule.

Also another important thing I wanted to know is that:

I installed the snort in  a machine in the local LAN but not as a gateway but directly connected to a switch, from which all the machines are connected.

And in this scenario I wanted my snort machine to scan all the network traffic in the local LAN. The catch here is I was able to scan all the telnet sessions to the snort machine or from the snort machine but unable to scan those telnet sessions not involving the snort machine.

Also I was not able to scan the internet requests originating from the other machine apart from the snort machine. The scan shows only the from (internal source IP) -> to(the gateway IP), but not the websites' IP address and I have checked that my rule was right. But that does not happen while scanning the snort machine, it is giving the detailed internal and external(websites) ip address.



Is the problem anything to do with the location of the snort machine?

Please help me in this regard.

Warm regards,
S.Kaushik


 









More information about the Snort-users mailing list