Something I don't understand...

[Bob Hillegas <bobhillegas () pdq net>]

I am running snort Version 1.8.1-RELEASE (Build 74) on RH7.1.
Snort is started using the command line:
snort -i ppp0 -u snort -g snort -z est -c /etc/snort/snort.conf -D
The snort.conf rule set is v 1.62 2001/08/12.
The snort.conf (without comments) is appended below.

I am connected to the internet using ppp0 over a 56K modem. I use ipchains
to DENY everything but ports 25, 110, 80 (squid), 53, and ICMP.

I log all DENY packets and get dozens of DENY packets daily, most of which
lately have been directed to port 80.

Snort registers none of this. It has only registered random ICMP traffic,
about 20 packets over the last three weeks.

As a comparison, I started tcpdump as follows:
tcpdump -eflS -nn -vv -i ppp0 &> tcpdump.fil &
This file contains all of the packets that got logged as DENY'd by
ipchains, and in comparison, snort logged nothing to syslog, nothing to
the database, nothing to the binary file.

Is there something very basic I am missing or is this a problem with my
setup?

Thanks to anyone who takes time to comment. BobH

--- snip ---
var HOME_NET $ppp0_ADDRESS
var EXTERNAL_NET !$HOME_NET
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET

var DNS_SERVERS $HOME_NET
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: snort.log
output database: alert, mysql, dbname=snort user=snort password=snort host=localhost
include classification.config
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include x11.rules
include icmp.rules
include shellcode.rules
include misc.rules
include policy.rules
include info.rules
include icmp-info.rules
include virus.rules
include local.rules
--- snip ---

-- 
-------------------------------------------------
Bob Hillegas
<bobhillegas () pdq net>
281.546.9311



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users