[Snort-users] Not logging everything

Chuck Holley cholley at ...11679...
Tue Apr 20 06:34:06 EDT 2004


Fred, you hit the nail on the head.  I just had a revelation. Last night
when I was scanning I was getting told that it was being blocked, not
thinking at the time, I just kept doing it.  My router has access lists on
it, blocking ICMP. If it cant get past the router it certainly isn't going
to get to my switch.  Sorry for the false alarm. :)

-----Original Message-----
From: Fred Portnoy [mailto:fportnoy at ...1527...] 
Sent: Tuesday, April 20, 2004 9:17 AM
To: 'Chuck Holley'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Not logging everything

Does your ISP or your router apply any filtering?
-fp

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Chuck Holley
Sent: Tuesday, April 20, 2004 8:41 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Not logging everything


This is my problem.  I have a snort box (setup using Patrick Harpers install
guide for Fedora C1) local to the switch that all of my servers reside on.
I set the switch (HP 2848) to monitor the port which is uplinked to my
router, and to mirror the traffic to the port my snort box is on.  I did a
lot of scanning last night from home using "nmap" and the "cis" scanning
tools. I wrote down the ip address that my ISP gave me, came in this morning
to see what snort had logged through ACID; and there was one alert to one of
my servers.  I pinged and scanned about 10 servers last night, and it only
got one?????  My question is, are packets being dropped at my switch or is
snort not logging properly due to some options not being specified.  If I
run nmap locally, snort pretty much gets it all, although it takes a little
while to see in ACID.

Thanks 

Chuck Holley
LAN Administrator
FitnessQuest Inc.
Canton, OH
cholley at ...11679...







More information about the Snort-users mailing list