[Snort-users] inbound alerts only

Stephen Dunn sdunn at ...9569...
Thu Jun 26 19:50:24 EDT 2003


Check the port mirroring configuration on your switch.  Many switches will
give you the option to monitor just the tx or rx portion of a mirrored
port.  If you use tcpdump, confirm that you can see both directions of an
established connection:

tcpdump -i <your interface> -n host xxx.xxx.xxx.xxx and port 22

If you do not see any output indicating your internal host as the source,
this is most likely your problem.


Steve

>  Hello everybody,I am having a sorta weird problemo. I looked through
> the FAQ and did a web search etc. but didn't find any solution to my
> problem. (or maybe didn't look effectively enough) I have snort running
> on a solaris box right outside a firewall with a stealth interface. I
> added this rule: 'alert tcp any any -> xxx.xxx.xxx.xxx 22' and tried
> to ssh to the x'd out IP from an internal machine; No alerts were
> triggered. Upon noting that such a simple rule wasn't working, I looked
> through all my previous alerts and noticed that not a single alert was
> from one of our internal machines going outbound ( I would at least
> expect a false positive or two here and there since we use 'any' as our
> $HOME_NET and $EXTERNAL_NET). All alerts were from external machines
> coming into our network. Has anyone seen anything like this before? Is
> there a setting somewhere which states only look for inbound bad
> traffic? Could our firewall be somehow mangling the traffic enough that
> it doesn't  quite match a rule somehow; e.g NAT or something? I have
> tried several different tests to try to figure out what is going on but
> to no avail.. Any thoughts? I am missing something really
> obvious?Thanks Everyone! Dave
>
> _______________________________________________
> Join Excite! - http://www.excite.com
> The most personalized portal on the Web!







More information about the Snort-users mailing list