[Snort-users] Snort only alert about traffic with an specific IP

Jason Brvenik jasonb at ...1935...
Thu May 29 09:58:40 EDT 2008


Are you monitoring a span or mirror port?


Berta Alcala wrote:
> Hi,
> 
> I tried with this rule (only this rule, the rest were commented in 
> snort.conf):
> 
> alert tcp any any -> any any (msg:"TCP traffic";sid:1000011; rev:1;)
> 
> The only alerts registered are those which have my IP (source or 
> destination). Using Ethereal I only see traffic with my IP as source, or 
> destination, or broadcast traffic. I can not see a ping command between 
> two others PCs with Ethereal, neither with Snort (I attach a pcap file)
> 
> I have this information in snort.conf:
> 
> var HOME_NET 172.18.64.0/19 <http://172.18.64.0/19>
> var EXTERNAL_NET any
> var DNS_SERVERS $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var SNMP_SERVERS $HOME_NET
> 
> Snort is installed as a Windows service with this command line:
> snort /SERVICE /INSTALL -dev -c c:\Snort\etc\snort.conf -l c:\Snort\log -i2
> 
> I use Windows XP+Snort 2.7+Base
> 
> Jason, How can I disable checksum?
> 
> 2008/5/27 Paul Schmehl <pschmehl_lists at ...14358... 
> <mailto:pschmehl_lists at ...14358...>>:
> 
> 
> 
> 
>     Thousands of security professionals worldwide are using snort
>     successfully. So, you can start with the safe assumption that the
>     problem isn't snort.
> 
>     Whether or not snort alerts on traffic is entirely dependent upon
>     two things:
>     1) Traffic is passing the interface that snort is listening on
>     2) You have snort properly configured to see that traffic.
> 
>     If you've convinced yourself, using Ethereal, that traffic *is*
>     being seen on that interface, then that narrows the problem down to
>     your configuration of snort.
> 
>     What have you defined $HOME_NET as?
>     What have you defined $EXTERNAL_NET as?
>     What rules have you enabled in snort.conf?
>     What's your startup options for snort (what interface, where do you
>     log, etc.)?
> 
>     To quickly see if snort is working at all, write a rule that looks
>     for everything:
> 
>     alert ip any any -> any any (msg:"Testing for detection capability";
>     sid:1000001; rev:1;)
> 
>     Don't even bother editing sid-msg.map.  All you care about is seeing
>     that alerts are being generated.  Depending upon your traffic, this
>     could generate a ton of alerts in short order, so be prepared to
>     shut down snort before you get overwhelmed.
> 
>     What are you using to view the alerts?
> 
>     -- 
>     Paul Schmehl
>     As if it wasn't already obvious,
>     my opinions are my own and not
>     those of my employer.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list