[Snort-users] Only seeing TCP Alerts

Matt Martin MMartin at ...16693...
Wed Jun 11 17:13:27 EDT 2014


Hello All,

I have recently gotten Snort 2.9.6.0 installed, along with Barnyard2, Oinkmaster, and BASE as the frontend.

When I open the web page on the server for BASE and view the home page I only see, TCP (100%), in the "Traffic Profile by Protocol". Everything else, is showing 0%.
For example, I see:
            TCP (100%)
UDP (0%)
ICMP (0%)
Portscan Traffic (0%)

I'm wondering why ALL the others are at 0%? Over the last 48 hours or so there has to have been some kind of UDP traffic, don't ya think?
I also attempted to run a portscan (*using "nmap 10.60.114.0/24") on the whole ipvar configured for HOME_NET. But I don't think the Portscan part was picked up either...

If I check the MySQL database for snort, the "tcphdr" table has tons of data in it, but the "udphdr" table is completely empty. If I run "select * from udphdr", mysql returns "Empty set (0.00 sec)". So I'm not sure if I have snort configured correctly or not..?

Is there any tests that anyone could suggest to help me figure out why UDP, ICMP and Portscan are not being picked up?
If you need to see my snort.conf, just let me know. If so does the mailing-list take attachments?

Any thoughts or suggestions would be much appreciated!

Thanks in Advance,
Matt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140611/c4bbe92b/attachment.html>


More information about the Snort-users mailing list