[Snort-users] BASE 100% TCP ?

Mike Miller mike at ...16027...
Tue Mar 12 14:47:28 EDT 2013


I've seen similar behavior when using a spanport on a core switch that wasn't properly configured and/or the interface isn't in promiscuous mode. 

If you run a tcpdump across the interface, does it look 'firehose-y' to you? If you pull that output into Wireshark, how does it look?





On Mar 12, 2013, at 6:59 AM, Joao Daniel Neves <joaodanielnevesss at ...125...> wrote:

> Snort Enthusiasts,
> 
> I have deployed a Snort with BASE as a GUI. I have attached the BASE Main screen on this e-mail. If you cant see this jpg I have also upload to this site http://servicos.cafecomchips.com.br/Novo/Upload/Exibir_Foto.php?foto=b34243fef3.png
> 
> My doubt is  about something in base main screen. As you can see all my traffic is TCP, I haven't any alerts for port scanner. Or even I don't have any UDP traffic what is very stranger since there are DNS query going out the interface that snort is listenning.
> 
> What can explaint it?
> 
> Further more I have ran port scanner against this snort and it seems that it did not catch it*
> 
> *This snort was deployed on a Firewall machine and I ran the port scanner in the same interface that snort is listenning, from a outside machine.
> 
> 
> <snortisitnormal.png>------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
> endpoint security space. For insight on selecting the right partner to 
> tackle endpoint security challenges, access the full report. 
> http://p.sf.net/sfu/symantec-dev2dev_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130312/b928dd98/attachment.html>


More information about the Snort-users mailing list