[Snort-users] Snort only alert about traffic with an specific IP

Berta Alcala berta83 at ...11827...
Mon May 26 06:13:49 EDT 2008


Hello,

I have many problems with snort, for example some rules work fine and others
don't work. But what surprises me a lot is that snort only alert about rules
with my IP (where snort is installed) as source or destination .

I've tried with this rule:

alert tcp any any -> any any (msg:"TCP traffic";sid:1000011; rev:1;)

The only alerts registrated are those which have my IP. I don't understang
anything.
I have this information in snort.conf:

*var HOME_NET 172.18.64.0/19*
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET

Snort is installed in 172.18.65.16. There are many others IPs availables in
my network.
Other rare thing, I changed $EXTERNAL_NET to any in a rule and then it
worked, but I have rules with $EXTERNAL_NET that work fine.
(I use Windows XP+Snort 2.7+Base)

Thank you very much for any idea
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080526/89358f4c/attachment.html>


More information about the Snort-users mailing list