[Snort-users] Snort only alert about traffic with an specific IP

Leon Ward seclists at ...14165...
Thu May 29 04:31:34 EDT 2008


> Using Ethereal I only see traffic with my IP as source, or  
> destination, or broadcast traffic.

Then it is clear that either one of the following *must* be true.
  - You are connected to a switch port (and therefore only this  
traffic is being sent to your device)
  - The user you are running ethereal as does not have permission to  
place the capture device into promisc mode

Although Jason's point about checksum offloading is correct, I don't  
think it applies here. Ethereal would not throw away traffic if the  
checksums are incorrect on the packets, they would simply be marked as  
having incorrect checksums in the capture. Looking at your pcap we can  

IP Header checksum: 0x669b [correct]
         [Good: True]
         [Bad : False]
TCP Checksum: 0x9646 [correct]
         [Good Checksum: True]
         [Bad Checksum: False]

If you have the rights to configure the switch, you need to set your  
port as a monitor/mirror/SPAN port (the terminology varies between  
venders, but essentially means the same thing).
Before you start trying to run Snort in an IDS mode, make sure you can  
sniff the wire correctly.


On 29 May 2008, at 09:01, Berta Alcala wrote:

> Hi,
> I tried with this rule (only this rule, the rest were commented in  
> snort.conf):
> alert tcp any any -> any any (msg:"TCP traffic";sid:1000011; rev:1;)
> The only alerts registered are those which have my IP (source or  
> destination). Using Ethereal I only see traffic with my IP as  
> source, or destination, or broadcast traffic. I can not see a ping  
> command between two others PCs with Ethereal, neither with Snort (I  
> attach a pcap file)
> I have this information in snort.conf:
> var HOME_NET
> var EXTERNAL_NET any
> Snort is installed as a Windows service with this command line:
> snort /SERVICE /INSTALL -dev -c c:\Snort\etc\snort.conf -l c:\Snort 
> \log -i2
> I use Windows XP+Snort 2.7+Base
> Jason, How can I disable checksum?
> 2008/5/27 Paul Schmehl <pschmehl_lists at ...14358...>:
> Thousands of security professionals worldwide are using snort  
> successfully. So, you can start with the safe assumption that the  
> problem isn't snort.
> Whether or not snort alerts on traffic is entirely dependent upon  
> two things:
> 1) Traffic is passing the interface that snort is listening on
> 2) You have snort properly configured to see that traffic.
> If you've convinced yourself, using Ethereal, that traffic *is*  
> being seen on that interface, then that narrows the problem down to  
> your configuration of snort.
> What have you defined $HOME_NET as?
> What have you defined $EXTERNAL_NET as?
> What rules have you enabled in snort.conf?
> What's your startup options for snort (what interface, where do you  
> log, etc.)?
> To quickly see if snort is working at all, write a rule that looks  
> for everything:
> alert ip any any -> any any (msg:"Testing for detection capability";  
> sid:1000001; rev:1;)
> Don't even bother editing sid-msg.map.  All you care about is seeing  
> that alerts are being generated.  Depending upon your traffic, this  
> could generate a ton of alerts in short order, so be prepared to  
> shut down snort before you get overwhelmed.
> What are you using to view the alerts?
> -- 
> Paul Schmehl
> As if it wasn't already obvious,
> my opinions are my own and not
> those of my employer.
> <traffic.pcap><snort.conf>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080529/04c50c73/attachment.html>

More information about the Snort-users mailing list