[Snort-users] Snort

Scott Taylor scottt at ...4859...
Tue Feb 19 16:16:02 EST 2002

That was it! The hub is a netgear 10/100 auto
sensing hub. I'm not sure why this would affect
the traffic like that but it did. Specifically
its a DS104.
I found an old 10baseT hub. Plugged both systems
in and viola! It worked. Thanks for your time.


---- Begin Original Message ----

From: "Dr. Richard W. Tibbs"
<ccamp at ...4532...>
Sent: Tue, 19 Feb 2002 18:36:55 -0500
To: Scott Taylor <scottt at ...4859...>
Subject: Re: [Snort-users] Snort

Have you tried running snort on your firewall
box? Are the results the same?
If you have a hub with learning/bridging
capability, then traffic
destined to the IPs behind the firewall will
never reach your snort box,
even tho snort puts the NIC in promiscuous mode.

Is it possible that the only traffic seen by
snort in sniffer mode is
true broadcast traffic?
(That will definitely be seen by the snort-box,
but it will probably
generate no alarms.)


Scott Taylor wrote:

>I'm running snort 1.8.3-5 on Redhat 7.1.
>is 0.6.2-9. Below is showing how my sensor is
>located. The external ip of my firewall is
>x.x.x.27 and the ip on my sensor is x.x.x.223
>the subnet mask from my isp is
>                    _
>                   |h|
> ISP-----DSL-------|u|-------snort-box
>                   |b|-------firewall------|Lan|
>                    -
>I've set my snort.conf home_net and all the
>variables regarding ip address's to "any". If I
>run snort in sniffer mode I can see traffic. If
>I run in NIDS mode it shows nothing in the
>even if I go to grc.com and do a portscan it
>show's nothing in /var/log/snort/alert or
>portscan.log . There is also a file snort-
>timestamp.log but it is in binary format. I'm
>trying to setup Snort Snarf to read the log's.
>When I run it it generates the page but there
>are no alerts. It shows it's looking in alerts
>and portscan.log. Here's the command I'm
>snort with:
>snort -l /var/log/snort -
>c /etc/snort/snort.conf -o -b -A FULL -z est
>How do I read what's in the snort-timestamp.log?
>Why is it now logging any alerts or portscans?
>Thanks for any help and take three drinks if
>your so inclined.
>SOCCER.COM, The Center of the Soccer Universe
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or
>Snort-users list archive:

---- End Original Message ----

SOCCER.COM, The Center of the Soccer Universe

More information about the Snort-users mailing list