[Snort-users] Snort logging way too much

Ochronus ochronus at ...11210...
Fri Feb 13 23:15:02 EST 2004


Actually it's not meant to be a bug report, I rather suspect that I've misconfigured the pig.


But anyway:

System arch.:  x86 (Athlon)
System: Debian unstable
Snort version: 2.1 

Preprocessors: flow, frag2, stream4:detect_scans, disable_evasion_alerts, http_inspect_servers, rpc_decode, bo, telnet_decode, 

rules: Many. Almost all
output plugins: postgresql
command line: -i eth0  -p  -c <config-file>         (tried without -p)
snort errors: none



The thing is that I don't understand how comes that my machine logs packets/packet flows aimed to another machines. I thouht it was because of snort setting promiscuous mode, yet I think a decent switch in the server hosting area (there are 5 machines on the switch my machine is on) should not propagate every packet to all machines. But even if so, I should be able to tell snort only to watch for those having their destination IP my machine's.



Thank you,
Ochronus




------------------------
We need more info, please check out the BUGS file in the doc directory 
of your Snort distro.

     -Marty

On Feb 13, 2004, at 7:25 PM, Ochronus wrote:

> Hi!
>
> I have a hosted server with a fix IP address. I set $HOME_NET to this 
> address, tried turning on and off promiscuous mode, still snort logs 
> many packets sent to foreing machines, even to ones hosted trivially 
> at other subnets.
>
>
> Given the above layout (single server, no LAN attached, fix ip), could 
> you give me some hints on configuring the pig for rule-based logging 
> the packets sent only TO MY machine?
>
>
> Thanks in advance,
> Ochronus
>
>
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org







More information about the Snort-users mailing list