[Snort-users] Not sure I'm seeing all traffic
jcreegan at ...9729...
Tue Mar 29 06:53:43 EST 2005
Snort.2.3.2, base 1.0.2
I've read Snort 2.0 Intrusion Detection (Syngress)
Intrusion Detection with Snort (Sams)
Intrusion Detection with Snort (Rehman)
And thousands of emails from the users group.
I've got my sniffing interface in promiscuous mode on a mirrored port. The source port is the one my perimeter firewall is plugged into. I'm thinking that this means that my sniffing interface *should* be seeing all traffic going out of the firewall *and* all traffic that the firewall is passing in. My first question is:
Is that correct?
I'm running two snort instances on the same box. One for logging, one for alerting. I'm attempting to verify that the alerting instance is catching everything. No matter how much I read on the differences between the alert and log facilities I've remained confused as to how logging works. Alerting is easy...say something when a rule is violated. Logging also seems affected by the rules (as in when I comment one out the logging instance no longer reports it either). My second question is:
Why is that?
The "-z est" argument has always troubled me. I know it's there (thanks, Marty) to defeat stick attacks, but the argument "-z est" has never worked. At least older versions of snort wouldn't start with that in the command line. "-z" has, so for the past three years I've never known whether I really am looking at only established traffic or not. And when looking for chat rule violations I don't know whether I should be...especially with the newer "flow:established" criteria written at the rule level. My third (and final) question is:
Does anyone know of more resources than I've read that can help me to understand all this better?
I'll appreciate any (positive) suggestions anyone cares to provide. Thanks!
This message (including any attachments) contains confidential
information intended for a specific individual and purpose,
and is protected by law. If you are not the intended recipient,
you should delete this message and are hereby notified that any
disclosure,copying, or distribution of this message, or the taking
of any action based on it, is strictly prohibited.
More information about the Snort-users