[Snort-users] Snort only alert about traffic with an specific IP

Berta Alcala berta83 at ...11827...
Fri May 30 06:52:22 EDT 2008

Hi Rmkml,

I've received some emails from you. In one of them you say that I can try
with "-k none" option to disable checksum. I have installed snort as a
windows service with this command:

snort /SERVICE /INSTALL -dev -c c:\snort\etc\snort.conf -l c:\snort\log -i2
-k none

But everything is the same.

In other email you say that I have enabled stream5 in snort.conf, it's true,
but I don't know if it is compiled in the snort binary (and I don't know I
can do it).

I sent you and email with the output you asked me (salida.log).
I haven't received anything else.


2008/5/30 rmkml <rmkml at ...953...>:

> Hi Berta,
> Im answered your questions, do you have received my email ?
> Regards
> Rmkml
> On Fri, 30 May 2008, Berta Alcala wrote:
>  Date: Fri, 30 May 2008 10:12:39 +0200
>> From: Berta Alcala <berta83 at ...11827...>
>> To: Jason Brvenik <jasonb at ...1935...>
>> Cc: snort <snort-users at lists.sourceforge.net>,
>>    Paul Schmehl <pschmehl_lists_nada at ...14358...>
>> Subject: Re: [Snort-users] Snort only alert about traffic with an specific
>> IP
>> Thank you very much for your help.
>> I can not access to the switch I'm connected to, so I don't know how it is
>> configurated. I will try to get access to the switch.
>> I'm doing a degree essay at the University and the most important thing
>> for me is to know why something doesn't work, if the problem is the switch
>> that is
>> enought for me. But what I really need to know is why some rules work and
>> why others don't.
>> If you use this rule, does it work for you? why not for me??
>> alert tcp $HOME_NET any -> any 1863 (msg:"CHAT MSN logout"; flags:PA+;
>> content:"OUT"; classtype:policy-violation; sid:1000009; rev:1;)
>> I have no problem with a rule to alert about MSN login, that is similar
>> but with content LoginTime" instead of "OUT"
>> Or this other one form info.rules ("INFO FTP no password", with sid:489,
>> works for me):
>> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login";
>> flow:from_server,established; content:"530 ";
>> pcre:"/^530\s+(Login|User)/smi";
>> classtype:bad-unknown; sid:491; rev:8;)
>> There are many rules that don't work. I suppose the problem has to be in
>> snort.conf file.
>> 2008/5/29 Jason Brvenik <jasonb at ...1935...>:
>>      Are you monitoring a span or mirror port?
>>      Berta Alcala wrote:
>>            Hi,
>>            I tried with this rule (only this rule, the rest were commented
>> in snort.conf):
>>            alert tcp any any -> any any (msg:"TCP traffic";sid:1000011;
>> rev:1;)
>>            The only alerts registered are those which have my IP (source
>> or destination). Using Ethereal I only see traffic with my IP as source,
>>            or destination, or broadcast traffic. I can not see a ping
>> command between two others PCs with Ethereal, neither with Snort (I attach a
>>            pcap file)
>>            I have this information in snort.conf:
>> var HOME_NET <>
>> var EXTERNAL_NET any
>> Snort is installed as a Windows service with this command line:
>> snort /SERVICE /INSTALL -dev -c c:\Snort\etc\snort.conf -l c:\Snort\log
>> -i2
>> I use Windows XP+Snort 2.7+Base
>> Jason, How can I disable checksum?
>> 2008/5/27 Paul Schmehl <pschmehl_lists at ...14358... <mailto:
>> pschmehl_lists at ...14358...>>:
>>    Thousands of security professionals worldwide are using snort
>>    successfully. So, you can start with the safe assumption that the
>>    problem isn't snort.
>>    Whether or not snort alerts on traffic is entirely dependent upon
>>    two things:
>>    1) Traffic is passing the interface that snort is listening on
>>    2) You have snort properly configured to see that traffic.
>>    If you've convinced yourself, using Ethereal, that traffic *is*
>>    being seen on that interface, then that narrows the problem down to
>>    your configuration of snort.
>>    What have you defined $HOME_NET as?
>>    What have you defined $EXTERNAL_NET as?
>>    What rules have you enabled in snort.conf?
>>    What's your startup options for snort (what interface, where do you
>>    log, etc.)?
>>    To quickly see if snort is working at all, write a rule that looks
>>    for everything:
>>    alert ip any any -> any any (msg:"Testing for detection capability";
>>    sid:1000001; rev:1;)
>>    Don't even bother editing sid-msg.map.  All you care about is seeing
>>    that alerts are being generated.  Depending upon your traffic, this
>>    could generate a ton of alerts in short order, so be prepared to
>>    shut down snort before you get overwhelmed.
>>    What are you using to view the alerts?
>>    --    Paul Schmehl
>>    As if it wasn't already obvious,
>>    my opinions are my own and not
>>    those of my employer.
>> ------------------------------------------------------------------------
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> ------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080530/7a8a108f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: salida.log
Type: application/octet-stream
Size: 139762 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080530/7a8a108f/attachment.obj>

More information about the Snort-users mailing list