[Snort-users] (no subject)

Don Weber Don at ...5881...
Tue Apr 8 16:45:05 EDT 2003


How bout giving us the command line you used to start snort, and, did
you stop and restart snort? If you used the command line to for viewing,
what you might be seeing is all the traffic that is normally 'seen', not
necessarily 'alerting' on that traffic, or are you getting alerts
outside your defined rule

 

Don

 

 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of ryan
stangl
Sent: Tuesday, April 08, 2003 3:54 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] (no subject)

 

I was hoping that someone could help me, I am running snort 1.9 on
Win2K.  I got it to run and on our little moch network I can see other
computers trying to get in, for example I can see a ping, or a sweep.
So I assumed that it was working.  Then I wanted to see if I could get
one of my rules to work, so I added a rules text where all the other
rules where, and gave it a .rules extension, I made just a simple one
alert tcp <ip/24>500:2000 -> <ip/24> any.  Then in the snort config file
I placed a # in front of all of the rules listed and added a path to the
rule file I made.  My thinking was that I would recieve only instances
that I specified where anything coming from not my computer between port
500 and 2000 trying to go to my computer by any port, but that wasn't
the case, I was getting everything as I was before, comming from any
port.  It seemed A.) that my rule file wasn't working, and B.) that all
the rule files where a ctivated again, WHY IS THIS.  If anyone can help
me out here it would be greatly appreciated.  Thanks

Ryan




  _____  

MSN 8 helps ELIMINATE <http://g.msn.com/8HMUENUS/2752>  E-MAIL VIRUSES.
Get 2 months FREE*.

------------------------------------------------------- This SF.net
email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with
500 GB of bandwidth! No other company gives more support or power for
your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________ Snort-users mailing list
Snort-users at lists.sourceforge.net Go to this URL to change user options
or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030408/3f146d67/attachment.html>


More information about the Snort-users mailing list