[Snort-users] Question about SNORT Sensor Placement

bk6662 at ...5190... bk6662 at ...5190...
Tue Dec 31 13:45:02 EST 2013


Hello group,

I know that you receive lots of questions on this topic.  But I think I 
have followed at least most of the suggestions, and have narrowed down 
to possibly a problem with the RULE set that I am using.  I recently 
installed Ubuntu and SNORT, following David Gullett's installation 
guide.    Everything appears to be working - except.....

I designed my network exactly as described in the diagram of that guide. 
My ISP cable modem connects to a router, which connects to a switch 
(with a mirrored port).  My firewall is connected to this same switch; 
other end of the firewall connects my internal LAN.

The SNORT sensor is in the receiver port of the mirrored switch.  I have 
(using WireShark) verified that this port is seeing *all* traffic coming 
and going to my internal network.  But I'm not getting any SNORT alerts. 
This even after I ran complete NMAP scans of my network, both from 
within the internal LAN, and also from the segment where the SNORT 
sensor is located.  It seems that these scans should be generating 
thousands of alerts.

In order to make sure the installation is working I briefly implemented 
a local rule to alert on *all* traffic.  It generated about 5,000 hits 
within less than a minute.  So I think it's working properly.  I'm 
guessing the issue is with my rules?

Please let me know how I can troubleshoot this issue, to determine where 
the problem lies.  I'll be the first to admit I'm new to SNORT.

Thank you!
Brian




More information about the Snort-users mailing list