[Snort-users] Snort logging way too much

Ochronus ochronus at ...11210...
Fri Feb 13 23:15:02 EST 2004

Actually it's not meant to be a bug report, I rather suspect that I've misconfigured the pig.

But anyway:

System arch.:  x86 (Athlon)
System: Debian unstable
Snort version: 2.1 

Preprocessors: flow, frag2, stream4:detect_scans, disable_evasion_alerts, http_inspect_servers, rpc_decode, bo, telnet_decode, 

rules: Many. Almost all
output plugins: postgresql
command line: -i eth0  -p  -c <config-file>         (tried without -p)
snort errors: none

The thing is that I don't understand how comes that my machine logs packets/packet flows aimed to another machines. I thouht it was because of snort setting promiscuous mode, yet I think a decent switch in the server hosting area (there are 5 machines on the switch my machine is on) should not propagate every packet to all machines. But even if so, I should be able to tell snort only to watch for those having their destination IP my machine's.

Thank you,

We need more info, please check out the BUGS file in the doc directory 
of your Snort distro.


On Feb 13, 2004, at 7:25 PM, Ochronus wrote:

> Hi!
> I have a hosted server with a fix IP address. I set $HOME_NET to this 
> address, tried turning on and off promiscuous mode, still snort logs 
> many packets sent to foreing machines, even to ones hosted trivially 
> at other subnets.
> Given the above layout (single server, no LAN attached, fix ip), could 
> you give me some hints on configuring the pig for rule-based logging 
> the packets sent only TO MY machine?
> Thanks in advance,
> Ochronus
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list