[Snort-users] Need help with base

Nick Moore nmoore at ...1935...
Fri Mar 26 06:52:48 EDT 2010


What is your source of traffic? Are you plugged into a switch? If a  
switch port is not SPAN'ed, you will not see interesting traffic.

You can double check your traffic source by running snort in sniffer  
mode to output to your console. If you do not see workstations other  
than your own using TCP/UDP connections at ports 25, 53, 80, 110, 135,  
138, 139, 443, 445... you may be connected to a switch port and will  
only see ARP and other broadcast traffic.

For Snort or any IDS to work well, you need a traffic Source in a  
shared network medium, such as a hub, SPAN from a switch or network  
tap between two network devices, e.g. a switch and a firewall.

Hope this helps.

Sent from my mobile device.

Nick Moore
Phone 708-336-9041
Email nmoore at ...14707...

On Mar 25, 2010, at 22:40, Kum Weng Luey <kumwengluey at ...11827...> wrote:

> Hi all,
> I am new to snort and currently running snort with barnyard and  
> base. I ran into something weird. BASE does not show TCP or UDP  
> protocols only ICMP is displayed. I have also went into mysql  
> database and also noticed that tcphdr and udphdr are not logged. Is  
> there any reason why?
> Would appreciate any help..
> KW
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list