[Snort-users] Snort 2.0.0, OpenBSD3.3, Netgear EN104TP

Gus Faulk glfaulk at ...5190...
Thu Jun 12 21:05:02 EDT 2003


When I ran tcpdump it was seeing all traffic. The problem was in the
snort.conf. My rules were not set up properly.
----- Original Message -----
From: "Matt Kettler" <mkettler at ...4108...>
To: "Gus Faulk" <glfaulk at ...5190...>; <snort-users at lists.sourceforge.net>
Sent: Wednesday, June 11, 2003 8:33 PM
Subject: Re: [Snort-users] Snort 2.0.0, OpenBSD3.3, Netgear EN104TP


> At 07:51 PM 6/11/2003 -0400, Gus Faulk wrote:
> >Snort is not logging anything from the cable modem. I have a remote shell
> >that I have used to do nmap scans and
> >it is not picking up anything. I have a link light on the stealth nic and
> >it is getting traffic.
>
> My first question. Have you tried tcpdump?
>
> If tcpdump sees it, snort should see it. If tcpdump doesn't see it, snort
> won't.
>
> If traffic is coming in and visible to tcpdump, and snort isn't alerting
> when it should, check your configuration of snort.conf and make sure it
> really should be alerting for the IP combinations specified. Carefuly
check
> over your external and home net declarations, and what rule files you have
> included.
>
> Check the rule files themselves.. which rules do you expect your nmap scan
> to trigger? (note this will varry a LOT depending on what kind of scan you
> run with nmap, and some kinds of nmap scan may not generate any alerts at
all)
>
>
>





More information about the Snort-users mailing list