[Snort-users] Snort only alert about traffic with an specific IP

Michael Boman michael.boman at ...11827...
Mon May 26 06:55:09 EDT 2008


On Mon, May 26, 2008 at 12:13 PM, Berta Alcala <berta83 at ...11827...> wrote:
> Hello,
>
> I have many problems with snort, for example some rules work fine and others
> don't work. But what surprises me a lot is that snort only alert about rules
> with my IP (where snort is installed) as source or destination .
>
> I've tried with this rule:
>
> alert tcp any any -> any any (msg:"TCP traffic";sid:1000011; rev:1;)
>
> The only alerts registrated are those which have my IP. I don't understang
> anything.
> I have this information in snort.conf:
>
> var HOME_NET 172.18.64.0/19
> var EXTERNAL_NET any
> var DNS_SERVERS $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var SNMP_SERVERS $HOME_NET
>
> Snort is installed in 172.18.65.16. There are many others IPs availables in
> my network.
> Other rare thing, I changed $EXTERNAL_NET to any in a rule and then it
> worked, but I have rules with $EXTERNAL_NET that work fine.
> (I use Windows XP+Snort 2.7+Base)
>
> Thank you very much for any idea

A few things comes to mind:

1) Make sure the interface is in PROMISCuous mode
2) Are you connected to a switch? Then you won't see the traffic due
to the properties of a switch. You need to investigate SPAN ports
and/or network taps.

Double-check using standard TCPDump to see if you can actually see
other traffic (snort can also work in this mode, but it was a long
time since I used snort like that so I can't remember the flags for
it).

Best regards
Michael Boman

-- 
http://michaelboman.org - Security Blog & Wiki
Custom Laptop Skins @
http://michaelboman.org/wiki/index.php?title=Custom_Laptop_Skins
Join the Singapore Security Meetup Group @ http://security.meetup.com/77/




More information about the Snort-users mailing list