[Snort-users] only alerts on incoming traffic.

Matt Watchinski mwatchinski at ...1935...
Tue Feb 24 15:18:00 EST 2009


I'm guessing your running snort on the same system you are generating
the outgoing traffic?

If so try running with "-k none"

Cheers,
-matt

On Tue, Feb 24, 2009 at 2:37 PM, jkv <jkv at ...8462...> wrote:
> Hi,
>
> I'm having trouble getting snort to trigger rules on outgoing
> connections, inbound connections works just fine.
> For debugging this issue i have disabled all my normal rules and made a
> few debug rules:
>
> alert tcp any any -> 90.185.105.45 25 (msg:"DEBUG: SMTP INCOMMING";
> sid:22222222;)
> alert tcp 90.185.105.45 any -> any 25 (msg:"DEBUG: SMTP OUTGOING";
> sid:11111111;)
>
> (90.185.105.45 is my static ip, normally i use HOME_NET for this but
> since i am debugging i have hardcoded the IP in the rules)
>
> With these two rules i get snort alerts if i generate port 25 from a
> remote server to my server - so far so good. But if i from my server
> initiate a port 25 connections to some remote smtp server i dont get any
> snort alerts.
>
> Anyone got any ideas about why this is happening?
>
> Regards,
> jkv
>
>
>
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-users mailing list