[Snort-users] Too little traffic being seen!

Adrian.Mink at ...8989... Adrian.Mink at ...8989...
Thu Apr 24 08:42:22 EDT 2003


The reason they are all turned on is exactly why I am posting, too
little traffic! That is also 
why I have external and internal net's set to any, I have tried setting
my internal net to
my actual subnet, but I continue to get the same set of results. Or lack
of results!

-----Original Message-----
From: John Sage [mailto:jsage at ...2022...] 
Sent: Wednesday, April 23, 2003 5:39 PM
To: Mink, Adrian (QB8692)
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Too little traffic being seen!


Adrian:

On or about Wed, Apr 23, 2003 at 02:02:28PM -0700,
Adrian.Mink at ...8989... posited:
> Hello,
> 
> I am running snort 2.0 on a Redhat 8.0 system using a stealth 
> interface. (No IP address on eth0) It is plugged into a switch setup 
> as a span port, over which is flowing a large amount of traffic. There
> is another IDS plugged into the same switch, which is alerting on the
> traffic. However, snort is only 
> generating maybe 1-2 alerts per hour, which is WAY to low. I even took
> it home (it's on a laptop) and plugged 
> it in outside of my firewall on a cable connection and saw the same
> thing. So, I am hoping my config is messed up
> somehow, will someone take a look at it and let me know if there are
any
> glaring issues? I am getting a very few alerts, 
> and when I fire up ethereal I can see the raw traffic so I know the
data
> is getting to the system. Help?

Why do you have $HOME_NET and $EXTERNAL_NET set to the same value,
"ANY"?

> var HOME_NET any
> var EXTERNAL_NET any

By any bizarre chance are the "very few alerts" those where $HOME_NET ==
$EXTERNAL_NET in the triggered rule?

Also, it looks like you've got *all* the rules turned on.

Why? Particularily why, when it's not working yet?



- John
-- 
"You are in a twisty maze of weblogs, all alike."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705






More information about the Snort-users mailing list