[Snort-users] Snort not alerting although tcpdump shows packet
Al Lewis (allewi)
allewi at ...589...
Fri Apr 17 09:08:54 EDT 2015
See the manual on IDS mode: http://manual.snort.org/node6.html
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...
From: Kumarswamy H N (kumhn)
Sent: Friday, April 17, 2015 8:06 AM
To: Gaurav Srivastava; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort not alerting although tcpdump shows packet
Snort will only alert if your traffic matches any of the snort rules with action set to alert. So you must provide a configuration file which includes an appropriate rule to alert for your traffic. To start with, you can add a simple rule to snort.conf that matches your traffic or enable appropriate rule protocol-icmp.rules .
From: Gaurav Srivastava [mailto:gaurav.srivastava7 at ...11827...]
Sent: Friday, April 17, 2015 5:16 PM
To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: [Snort-users] Snort not alerting although tcpdump shows packet
I have a strange issue. I am running snort to observe traffic mirrored from another VM.
But Snort is not alerting. To verify whether the packets are received or not I did a tcpdump using following command
sudo tcpdump -w icmp.pcap -i eth0 icmp
And when I read the file using snort using below command:
snort -r icmp.pcap
It displays the ICMP packet logs. But the alert was not generated when snort was running.
Please suggest. I am stuck here.
Thanks and Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users