[Snort-users] Snort only alert about traffic with an specific IP
berta83 at ...11827...
Mon May 26 06:13:49 EDT 2008
I have many problems with snort, for example some rules work fine and others
don't work. But what surprises me a lot is that snort only alert about rules
with my IP (where snort is installed) as source or destination .
I've tried with this rule:
alert tcp any any -> any any (msg:"TCP traffic";sid:1000011; rev:1;)
The only alerts registrated are those which have my IP. I don't understang
I have this information in snort.conf:
*var HOME_NET 172.18.64.0/19*
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
Snort is installed in 172.18.65.16. There are many others IPs availables in
Other rare thing, I changed $EXTERNAL_NET to any in a rule and then it
worked, but I have rules with $EXTERNAL_NET that work fine.
(I use Windows XP+Snort 2.7+Base)
Thank you very much for any idea
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users