[Snort-users] inbound alerts only

David dwad24 at ...722...
Thu Jun 26 10:40:21 EDT 2003


 Hello everybody,I am having a sorta weird problemo. I looked through the FAQ and did a web search etc. but didn't find any solution to my problem. (or maybe didn't look effectively enough) I have snort running on a solaris box right outside a firewall with a stealth interface. I added this rule: 'alert tcp any any -> xxx.xxx.xxx.xxx 22' and tried to ssh to the x'd out IP from an internal machine; No alerts were triggered. Upon noting that such a simple rule wasn't working, I looked through all my previous alerts and noticed that not a single alert was from one of our internal machines going outbound ( I would at least expect a false positive or two here and there since we use 'any' as our $HOME_NET and $EXTERNAL_NET). All alerts were from external machines coming into our network. Has anyone seen anything like this before? Is there a setting somewhere which states only look for inbound bad traffic? Could our firewall be somehow mangling the traffic enough that it doesn't 
 quite match a rule somehow; e.g NAT or something? I have tried several different tests to try to figure out what is going on but to no avail.. Any thoughts? I am missing something really obvious?Thanks Everyone! Dave

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030626/8ff7d9c4/attachment.html>


More information about the Snort-users mailing list