[Snort-users] Problem with Snort IDS

Al Lewis (allewi) allewi at ...589...
Sat Nov 12 07:30:30 EST 2016


Hello Marcio,


Sounds like you have a network problem and not a snort related one.

You need a way to divert/span the traffic TO snort interface

or

Run snort inline so the traffic passes directly through the snort machine.


The device being in promiscuous mode doesn’t help with switched traffic (which doesn’t get copied to your snort interface). It just tells the interface to capture anything it sees.

In your case once the traffic is diverted/spanned it should work properly.


Hope this helps.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Marcio Demetrio Bacci <marciobacci at ...11827...<mailto:marciobacci at ...11827...>>
Date: Friday, November 11, 2016 at 6:59 PM
To: 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: [Snort-users] Problem with Snort IDS

Hi,

I have installed a Snort server (virtual machine) as IDS on Ubuntu 14-04 LTS.

I noticed that it only monitors the traffic directed to snort itself. When I execute ping or portscan command from a host to another server on the network, it is not registered by snort.

It looks like the interface is not listening in promiscuous mode.

I am starting snort as follows:

/usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D


Anyone have any idea what is the problem?

Regards,

Márcio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161112/7808107f/attachment.html>


More information about the Snort-users mailing list