[Snort-users] Snort not seeing all traffic?

Patrick Jones p.jones.ml at ...8985...
Wed Apr 23 12:19:06 EDT 2003


Snort 1.9.1
Red Hat 8.0
2 NICs
Eth0 10.x.x.x
Eth1 no address
Installed ACID

Topology:
Router - Hub - Switch - Firewall - Internal Network
	  |                          |
	  |                          |
        (Eth1)                       |
	 IDS(eth0)------------------/


Synopsis:
I do not see all the alerts/listings scan/vulnerability attempts (even ones initiated by me)...for my network segment.
I know I am only seeing a fraction of the traffic that goes accross "the hub". 
I know this because I receive alerts from my firewall that scan attempts are occuring,
yet I see no correlation with data in Snort/ACID.

For example:
   1. 2003-04-23 11:31:57 system-alert-00016:  Port scan from 66.70.32.91/80 to x.x.x.x/4746 protocol TCP (untrust)
   2. 2003-04-23 11:31:57 system-alert-00016:  Port scan from 66.70.32.91/80 to x.x.x.x/4398 protocol TCP (untrust)

I do not see anything in ACID/Snort that show this attempt at port scanning.


I am not sure where I am failing in this. I do see alerts when I go to ACID console, just not all that should be seen.
Is it rules I am not putting into affect?
I really appreciate any help...

~PJ






More information about the Snort-users mailing list