Snort mailing list archives
Re: Log questions
From: Martin Roesch <roesch () sourcefire com>
Date: Sat, 18 Aug 2001 21:11:39 -0400
Phil wrote:
Martin (and everyone else)
[snip]
That in itself isn't a huge discovery, you probably know you built that into Snort. However, the intersting part is I cannot limit my dumps with snort on elxl0, but I can on ppp0. For example: snort -dv -i ppp0 not port 22 Does what it's supposed to while snort -dv -i elxl0 not port 22 shows TONS of packets to and from port 22
This is a pcap problem, not a snort problem. The BPF filtering subsystem is provided by libpcap and the issues that you're seeing are completely at that layer. I'd recommend contacting the tcpdump.org guys for that one.
Additionally, I was running snort last night and ran the attack scripts from a machine outside the network. The following got completed (the rest were either status 'skipped' or I got tired after an hour and stopped):
[snip lots o' attacks]
But not one of them was picked up by snort. I'm running snort with the following options:
Did you have rules running that pick up the attacks you run? What tool were you running?
/usr/local/bin/snort -A fast -i ppp0 -l /var/log/snortlogs -c /etc/snort/snort.c onf -D and I have all the default includes in snort.conf. I have HOME_NET set to $ppp0_ADDRESS and EXTERNAL_NET is set to !$HOME_NET I'm running snort Version 1.8.1-RELEASE (Build 74) Solaris 8 x86 MU5 (7/01)
Your config looks good to me, if you're having problems I'd suggest not running in daemon mode until you can be sure you aren't getting any command line error messages. -Marty -- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Log questions Phil (Aug 06)
- RE: Log questions Jyri Hovila (Aug 06)
- Re: Log questions Martin Roesch (Aug 06)
- <Possible follow-ups>
- Re: Log questions Phil (Aug 18)
- Re: Log questions Martin Roesch (Aug 18)
- Re: Log questions Phil (Aug 29)
- Re: Log questions Martin Roesch (Aug 29)
- Re: Log questions Phil (Aug 29)
- Re: Log questions Martin Roesch (Aug 18)