[Snort-users] Snort logging way too much
ochronus at ...11210...
Fri Feb 13 23:15:02 EST 2004
Actually it's not meant to be a bug report, I rather suspect that I've misconfigured the pig.
System arch.: x86 (Athlon)
System: Debian unstable
Snort version: 2.1
Preprocessors: flow, frag2, stream4:detect_scans, disable_evasion_alerts, http_inspect_servers, rpc_decode, bo, telnet_decode,
rules: Many. Almost all
output plugins: postgresql
command line: -i eth0 -p -c <config-file> (tried without -p)
snort errors: none
The thing is that I don't understand how comes that my machine logs packets/packet flows aimed to another machines. I thouht it was because of snort setting promiscuous mode, yet I think a decent switch in the server hosting area (there are 5 machines on the switch my machine is on) should not propagate every packet to all machines. But even if so, I should be able to tell snort only to watch for those having their destination IP my machine's.
We need more info, please check out the BUGS file in the doc directory
of your Snort distro.
On Feb 13, 2004, at 7:25 PM, Ochronus wrote:
> I have a hosted server with a fix IP address. I set $HOME_NET to this
> address, tried turning on and off promiscuous mode, still snort logs
> many packets sent to foreing machines, even to ones hosted trivially
> at other subnets.
> Given the above layout (single server, no LAN attached, fix ip), could
> you give me some hints on configuring the pig for rule-based logging
> the packets sent only TO MY machine?
> Thanks in advance,
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users