[Snort-users] Snort not seeing all traffic?
p.jones.ml at ...8985...
Wed Apr 23 12:19:06 EDT 2003
Red Hat 8.0
Eth1 no address
Router - Hub - Switch - Firewall - Internal Network
I do not see all the alerts/listings scan/vulnerability attempts (even ones initiated by me)...for my network segment.
I know I am only seeing a fraction of the traffic that goes accross "the hub".
I know this because I receive alerts from my firewall that scan attempts are occuring,
yet I see no correlation with data in Snort/ACID.
1. 2003-04-23 11:31:57 system-alert-00016: Port scan from 22.214.171.124/80 to x.x.x.x/4746 protocol TCP (untrust)
2. 2003-04-23 11:31:57 system-alert-00016: Port scan from 126.96.36.199/80 to x.x.x.x/4398 protocol TCP (untrust)
I do not see anything in ACID/Snort that show this attempt at port scanning.
I am not sure where I am failing in this. I do see alerts when I go to ACID console, just not all that should be seen.
Is it rules I am not putting into affect?
I really appreciate any help...
More information about the Snort-users