[Snort-users] Snort Sensors do not appear to be detecting what they should

Y M snort at ...15979...
Wed Mar 11 16:25:47 EDT 2015



> From: michael.jacobi1 at ...7622...
> To: snort-users at lists.sourceforge.net
> Date: Wed, 11 Mar 2015 18:42:41 +0000
> Subject: [Snort-users] Snort Sensors do not appear to be detecting what they	should
> 
> I have been recently asked to start working with the Snort installation at my site (Snort 2.9.6.2, Barnyard, BASE).  Based on what alerts I am seeing, I feel that the system is not detecting what is should be finding.  For example the sensor that is facing my ISP has less than 20 detects in the last few days, 
# Taking a very wild guess here, this may have to do with which rules and preprocessors are enabled/disabled, and preprocessor configurations. Which current rules policy are you using?
>and I am seeing events on sensors that I know should be passing by other sensors but I do not see an correlation in the detects between the sensors.

# Are all the sensors configured the same? If yes then I would attempt sampling the traffic at each sensor by capturing packets and compare the traffic as there may ACL's at each hop, TTLs, etc.
> 
> I have had prior IDS experience, but I just started attempting to work with Snort.  I would appreciate what help you can give me to work to making this system more functional.  Pointers to FAQs and other online resources are always helpful.
> 
> Thanks!
> 
> Mike Jacobi
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150311/55111d7a/attachment.html>


More information about the Snort-users mailing list