Schmehl, Paul L
pauls at ...6838...
Fri Aug 1 13:26:07 EDT 2003
Never forget, the packets must *pass* the sniffer interface for it to
report any alerts. If you're doing a Nessus scan from box A to box B
A ------------>> B ----------->> C
snort will never see it.
If you're doing it like this:
Then snort will see it. *If* you have all your devices plugged in to a
hub *and* you are *certain* that it's not really a switch, then snort
should see anything on that hub, but that's a big if these days. I've
seen many "hubs" at the local computer store that are really switches
when you read the specs.
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
From: Brandon Hanks [mailto:hanksbc at ...8070...]
Sent: Friday, August 01, 2003 2:32 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Help!!!
I used Patrick S. Harper's install guide, Snort, Apache, PHP,
MySQL, ACID on Redhat 9.0 Installation Guide
<http://www.snort.org/docs/snort_acid_rh9.pdf> , without any problems.
Here is my problem: When I perform a Nessus audit on a machine on my
local network, Snort does not log any intrusion detection activity.
But, when I direct the Nessus audit directly at the box running Snort,
the log files are generated and can be viewed using Acid. In my
snort.conf file, I defined my local network as 192.168.0.0/24, which
covers a small windows environment. BTW, using Snort 2.0. The Snort
box is located on my local network at 192.168.0.198. Why does it not
register,log, or recognize attacks directed at machines within its local
network? Any help will be greatly appreciated...Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users