[Snort-users] Snort isn't alerting on some IPs

wkitty42 at ...14940... wkitty42 at ...14940...
Sun Dec 18 10:07:18 EST 2016


On 12/17/2016 07:18 PM, Nouar Ismail wrote:
> Hello
> I installed and configured snort on windows and installed the latest snort rules
> set.
> i have a tcpdump file that contains suspicious icmp traffic from source IP 1.2.3.4
> but snort did not alert on it.
> i added my own rule in local rules: alert icmp 1.2.3.4 any -> any any (msg:
> "possible pod attack" ; sid:10000001; )
> but also did not alert on it.
> i tried also: alert ip 1.2.3.4 any -> any any (msg: "possible pod attack" ;
> sid:10000001; ) and sill did not alert.
> any one hase any idea about this ?? please it's urgent.

you haven't posted your command line or your config file...
https://snort.org/faq/how-do-i-ask-a-good-question-on-the-snort-list

eWAG: add "-k none" to your command line sans quotes...

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list