[Snort-users] possible Snort 2.0 bug

Matt Kettler mkettler at ...4108...
Fri May 9 10:17:06 EDT 2003


At 12:48 AM 5/9/2003 -0300, Shoshin wrote:
>
>** but if I add an alert test rule to snort.conf ( alert tcp any any -> 
>any any )
>  and run the same IDS MODE command, then it creates log files and adds to 
> the alert file !!
>
>So what is wrong with IDS MODE, it should be logging traffic even if there 
>are no alerts ????


IDS mode shouldn't log without there being alerts, however the test rule 
you describe makes EVERY tcp/ip packet an alert.

alert tcp any any -> any any should more-or-less turn snort into a "log 
everything", with the only exception being that udp and icmp traffic won't 
get logged.

So what makes you conclude that there are "no alerts"?







More information about the Snort-users mailing list