[Snort-users] Snort

Scott Taylor scottt at ...4859...
Tue Feb 19 16:16:02 EST 2002


That was it! The hub is a netgear 10/100 auto
sensing hub. I'm not sure why this would affect
the traffic like that but it did. Specifically
its a DS104.
I found an old 10baseT hub. Plugged both systems
in and viola! It worked. Thanks for your time.

Scott

---- Begin Original Message ----

From: "Dr. Richard W. Tibbs"
<ccamp at ...4532...>
Sent: Tue, 19 Feb 2002 18:36:55 -0500
To: Scott Taylor <scottt at ...4859...>
Subject: Re: [Snort-users] Snort


Have you tried running snort on your firewall
box? Are the results the same?
If you have a hub with learning/bridging
capability, then traffic
destined to the IPs behind the firewall will
never reach your snort box,
even tho snort puts the NIC in promiscuous mode.

Is it possible that the only traffic seen by
snort in sniffer mode is
true broadcast traffic?
(That will definitely be seen by the snort-box,
but it will probably
generate no alarms.)

HTH >>RWT

Scott Taylor wrote:

>I'm running snort 1.8.3-5 on Redhat 7.1.
Libpcap
>is 0.6.2-9. Below is showing how my sensor is
>located. The external ip of my firewall is
>x.x.x.27 and the ip on my sensor is x.x.x.223
>the subnet mask from my isp is 255.255.255.0
>                    _
>                   |h|
> ISP-----DSL-------|u|-------snort-box
>                   |b|-------firewall------|Lan|
>                    -
>I've set my snort.conf home_net and all the
>variables regarding ip address's to "any". If I
>run snort in sniffer mode I can see traffic. If
>I run in NIDS mode it shows nothing in the
logs.
>even if I go to grc.com and do a portscan it
>show's nothing in /var/log/snort/alert or
>portscan.log . There is also a file snort-
>timestamp.log but it is in binary format. I'm
>trying to setup Snort Snarf to read the log's.
>When I run it it generates the page but there
>are no alerts. It shows it's looking in alerts
>and portscan.log. Here's the command I'm
running
>snort with:
>
>snort -l /var/log/snort -
>c /etc/snort/snort.conf -o -b -A FULL -z est
>
>How do I read what's in the snort-timestamp.log?
>Why is it now logging any alerts or portscans?
>
>Thanks for any help and take three drinks if
>your so inclined.
>
>Cheers,
>Scott
>
>
>
>THERE IS ONLY ONE...
>SOCCER.COM, The Center of the Soccer Universe
>http://www.soccer.com
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or
unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/sno
rt-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?
list=snort-users
>




---- End Original Message ----



THERE IS ONLY ONE...
SOCCER.COM, The Center of the Soccer Universe
http://www.soccer.com




More information about the Snort-users mailing list