Re: Too little traffic being seen!

[John Sage <jsage () finchhaven com>]

Adrian:

On or about Wed, Apr 23, 2003 at 02:02:28PM -0700, Adrian.Mink () pinnaclewest com posited:
> Hello, 
>
> I am running snort 2.0 on a Redhat 8.0 system using a stealth interface.
> (No IP address on eth0) 
> It is plugged into a switch setup as a span port, over which is flowing
> a large amount of traffic. There 
> is another IDS plugged into the same switch, which is alerting on the
> traffic. However, snort is only 
> generating maybe 1-2 alerts per hour, which is WAY to low. I even took
> it home (it's on a laptop) and plugged 
> it in outside of my firewall on a cable connection and saw the same
> thing. So, I am hoping my config is messed up
> somehow, will someone take a look at it and let me know if there are any
> glaring issues? I am getting a very few alerts, 
> and when I fire up ethereal I can see the raw traffic so I know the data
> is getting to the system. Help?

Why do you have $HOME_NET and $EXTERNAL_NET set to the same value,
"ANY"?

> var HOME_NET any
> var EXTERNAL_NET any

By any bizarre chance are the "very few alerts" those where $HOME_NET
== $EXTERNAL_NET in the triggered rule?

Also, it looks like you've got *all* the rules turned on.

Why? Particularily why, when it's not working yet?



- John
-- 
"You are in a twisty maze of weblogs, all alike."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users