[Snort-users] Snort only produces Steam5 alerts

James Lay jlay at ...13475...
Fri Sep 27 21:54:30 EDT 2013


On Sep 27, 2013, at 7:50 PM, Joe Seanor <joseph.seanor at ...11827...> wrote:

> James,
> 
> Thanks for the reply.
> 
> Home_Net is: 192.168.0.12 (I am only protecting a single box with this)
> External_Net is:  !$HOME_NET
> 
> Ruleset, I ran pulledpork with my oinkcode and I did nothing to modify any of the rules in the snort.rules file.  I checked the file and found rules that were active and rules that were commented out.
> 
> I wonder if it is part of my install, since another time I had something similar, I wiped the box, reinstalled and it worked that time.  I went and did my new install plan, which had Qmailrocks installed first, then Snort, and all the other items.  And I am finding the issues with Snort only alerting on the one alert.
> 
> Joe
> 
> 
> On Fri, Sep 27, 2013 at 7:54 PM, James Lay <jlay at ...13475...> wrote:
> 
> On Sep 27, 2013, at 2:24 PM, Joe Seanor <joseph.seanor at ...11827...> wrote:
> 
>> I have a new install of snort:
>> 
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.3.1 IPv6 GRE (Build 40)
>>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>>            Using libpcap version 1.4.0
>>            Using PCRE version: 8.30 2012-02-04
>>            Using ZLIB version: 1.2.7
>> 
>> 
>> And it has run for a full 24 hours, and the only alert (50 of them) that I have is stream5: Reset outside window.  I even ran an external Nmap scan, and I received a "Portscan alert" and then everything else showed up as a stream5 alert.
>> 
>> What did I miss in my configuration?
>> 
>> Joe
>> 
>> 
> 
> What rulesets have you enabled and what's your home_net and external_net look like?
> 
> James
> 

How big is that snort.rules file?  Mine is about 16 megs.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130927/16e7f9f3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130927/16e7f9f3/attachment.sig>


More information about the Snort-users mailing list