[Snort-users] Packets being alerted with other hosts, but not the localhost with Snort on it

wkitty42 at windstream.net wkitty42 at windstream.net
Sun Sep 9 04:31:59 EDT 2018


On 09/08/2018 07:18 PM, John Byrne via Snort-users wrote:
> Hi Everyone,
> 
> I’ve spent all day on this and I can’t find the problem.  I’m sure it’s got to 
> be a configuration issue, but I can’t find it.  I’m having a problem with snort 
> detecting packets being sent out of the host that snort is running on.  The 
> other hosts create an alert fine, just not the snort host.  Is there some sort 
> of localhost configuration setting I’m missing somewhere?


ummm... localhost is not included in $HOME_NET and the only rule i see enabled 
that might catch localhost originated packets is your 10000024 but you've 
limited it to IGMP so...

with that, yes and no, it is and is not a configuration error... it is if you 
expect localhost to be included in HOME_NET... it is not if you remember 
localhost is not covered by HOME_NET...


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*


More information about the Snort-users mailing list