: [Snort-users] Configuration HELP! (understanding alerts and pro xies)

Jason Martin jmartin at ...6065...
Wed Jun 12 14:51:02 EDT 2002

Let me follow-up on this before I get similar responses. I don't think I was
very clear.
x.x.90.77 is a test machine I am using to scan my x.x.90.243 machine.  The
proxy scan is part of the scan I am using to emulate a PROXY scan attempt.
The problem is the scan was from x.x.x.77 but my logs only show the ACK of
my machine responding to x.x.x.77's request SYN port scan of my machine on
that port.  None of the other signatures for the port scan show up, in fact
the only reason this was logged was because of the traffic generated by
x.x.x.243.  I'm looking for someone to point out where I misconfigured my
config file so that it is detecting ONLY traffic generated by x.x.x.243 even
though I have it in my portscan-ignore section.  I guess it's two part;  why
is it not detecting any external scans, and why is it not pre-processing my
ignore variable.
Problem in a nutshell:
IDS Signatures when scans are run from x.x.x.243 are captured in Logs.  ALL
scans from various other tests machines against x.x.x.243 do not log.  I do
however see the traffic when I am running snort -dev -c snort.conf, so the
interface is grabbing the packets.  I think I mis-configured my config file
so it doesn't know how to properly alert me.  Or I'm just not making any
sense and the way I'm phrasing my problem isn't coming across correctly.  I
hope this made things a little clearer.

Confidentiality Notice: 
This email message, including any attachments, is for the sole use of 
the intended recipient(s) and may contain confidential and privileged 
information.  Any unauthorized review, use, disclosure, or distribution 
is prohibited.  If you are not the intended recipient, please contact
the sender by reply e-mail and destroy all copies of the original message. 

More information about the Snort-users mailing list