[Snort-users] Need help with base

Kum Weng Luey kumwengluey at ...11827...
Fri Mar 26 21:53:37 EDT 2010


Hi Nick,

Thanks for the heads up. Yes, i am just connected to a switch port which is
not span'ed. I do see traffic from other workstations and manage to log ICMP
transactions that are not of my workstation. I would try spanning the
traffic from the port leading to my firewall and see what traffic i would be
getting.

Thank you so much for the help.

KW

On Fri, Mar 26, 2010 at 6:52 PM, Nick Moore <nmoore at ...1935...> wrote:

> KW,
>
> What is your source of traffic? Are you plugged into a switch? If a switch
> port is not SPAN'ed, you will not see interesting traffic.
>
> You can double check your traffic source by running snort in sniffer mode
> to output to your console. If you do not see workstations other than your
> own using TCP/UDP connections at ports 25, 53, 80, 110, 135, 138, 139, 443,
> 445... you may be connected to a switch port and will only see ARP and other
> broadcast traffic.
>
> For Snort or any IDS to work well, you need a traffic Source in a shared
> network medium, such as a hub, SPAN from a switch or network tap between two
> network devices, e.g. a switch and a firewall.
>
> Hope this helps.
>
> Sent from my mobile device.
>
> Nick Moore
> Phone 708-336-9041
> Email nmoore at ...14707...
>
>
>
> On Mar 25, 2010, at 22:40, Kum Weng Luey <kumwengluey at ...11827...> wrote:
>
>  Hi all,
>>
>> I am new to snort and currently running snort with barnyard and base. I
>> ran into something weird. BASE does not show TCP or UDP protocols only ICMP
>> is displayed. I have also went into mysql database and also noticed that
>> tcphdr and udphdr are not logged. Is there any reason why?
>>
>> Would appreciate any help..
>> KW
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100327/83a481b6/attachment.html>


More information about the Snort-users mailing list