Snort mailing list archives
Re[2]: Snort logging way too much
From: Ochronus <ochronus () all hu>
Date: Sat, 14 Feb 2004 08:11:44 +0100
Actually it's not meant to be a bug report, I rather suspect that I've misconfigured the pig. But anyway: System arch.: x86 (Athlon) System: Debian unstable Snort version: 2.1 Preprocessors: flow, frag2, stream4:detect_scans, disable_evasion_alerts, http_inspect_servers, rpc_decode, bo, telnet_decode, rules: Many. Almost all output plugins: postgresql command line: -i eth0 -p -c <config-file> (tried without -p) snort errors: none The thing is that I don't understand how comes that my machine logs packets/packet flows aimed to another machines. I thouht it was because of snort setting promiscuous mode, yet I think a decent switch in the server hosting area (there are 5 machines on the switch my machine is on) should not propagate every packet to all machines. But even if so, I should be able to tell snort only to watch for those having their destination IP my machine's. Thank you, Ochronus ------------------------ We need more info, please check out the BUGS file in the doc directory of your Snort distro. -Marty On Feb 13, 2004, at 7:25 PM, Ochronus wrote:
Hi! I have a hosted server with a fix IP address. I set $HOME_NET to this address, tried turning on and off promiscuous mode, still snort logs many packets sent to foreing machines, even to ones hosted trivially at other subnets. Given the above layout (single server, no LAN attached, fix ip), could you give me some hints on configuring the pig for rule-based logging the packets sent only TO MY machine? Thanks in advance, Ochronus
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort logging way too much Ochronus (Feb 13)
- Re: Snort logging way too much Martin Roesch (Feb 13)
- Re[2]: Snort logging way too much Ochronus (Feb 13)
- Re: Block Frank Knobbe (Feb 16)
- Re: Block Brian (Feb 16)
- Re: Block Matt Kettler (Feb 17)
- Re: Snort logging way too much Martin Roesch (Feb 13)