[Snort-users] Snort only alert about traffic with an specific IP

Berta Alcala berta83 at ...11827...
Thu May 29 04:01:22 EDT 2008


Hi,

I tried with this rule (only this rule, the rest were commented in
snort.conf):

alert tcp any any -> any any (msg:"TCP traffic";sid:1000011; rev:1;)

The only alerts registered are those which have my IP (source or
destination). Using Ethereal I only see traffic with my IP as source, or
destination, or broadcast traffic. I can not see a ping command between two
others PCs with Ethereal, neither with Snort (I attach a pcap file)

I have this information in snort.conf:

var HOME_NET 172.18.64.0/19
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET

Snort is installed as a Windows service with this command line:
snort /SERVICE /INSTALL -dev -c c:\Snort\etc\snort.conf -l c:\Snort\log -i2

I use Windows XP+Snort 2.7+Base

Jason, How can I disable checksum?

2008/5/27 Paul Schmehl <pschmehl_lists at ...14358...>:

>
>
>>
> Thousands of security professionals worldwide are using snort successfully.
> So, you can start with the safe assumption that the problem isn't snort.
>
> Whether or not snort alerts on traffic is entirely dependent upon two
> things:
> 1) Traffic is passing the interface that snort is listening on
> 2) You have snort properly configured to see that traffic.
>
> If you've convinced yourself, using Ethereal, that traffic *is* being seen
> on that interface, then that narrows the problem down to your configuration
> of snort.
>
> What have you defined $HOME_NET as?
> What have you defined $EXTERNAL_NET as?
> What rules have you enabled in snort.conf?
> What's your startup options for snort (what interface, where do you log,
> etc.)?
>
> To quickly see if snort is working at all, write a rule that looks for
> everything:
>
> alert ip any any -> any any (msg:"Testing for detection capability";
> sid:1000001; rev:1;)
>
> Don't even bother editing sid-msg.map.  All you care about is seeing that
> alerts are being generated.  Depending upon your traffic, this could
> generate a ton of alerts in short order, so be prepared to shut down snort
> before you get overwhelmed.
>
> What are you using to view the alerts?
>
> --
> Paul Schmehl
> As if it wasn't already obvious,
> my opinions are my own and not
> those of my employer.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080529/a21fc700/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: traffic.pcap
Type: application/octet-stream
Size: 102425 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080529/a21fc700/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 40572 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080529/a21fc700/attachment-0001.obj>


More information about the Snort-users mailing list