Snort mailing list archives
Re: Snort only produces Steam5 alerts
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 27 Sep 2013 19:54:30 -0600
On Sep 27, 2013, at 7:50 PM, Joe Seanor <joseph.seanor () gmail com> wrote:
James, Thanks for the reply. Home_Net is: 192.168.0.12 (I am only protecting a single box with this) External_Net is: !$HOME_NET Ruleset, I ran pulledpork with my oinkcode and I did nothing to modify any of the rules in the snort.rules file. I checked the file and found rules that were active and rules that were commented out. I wonder if it is part of my install, since another time I had something similar, I wiped the box, reinstalled and it worked that time. I went and did my new install plan, which had Qmailrocks installed first, then Snort, and all the other items. And I am finding the issues with Snort only alerting on the one alert. Joe On Fri, Sep 27, 2013 at 7:54 PM, James Lay <jlay () slave-tothe-box net> wrote: On Sep 27, 2013, at 2:24 PM, Joe Seanor <joseph.seanor () gmail com> wrote:I have a new install of snort: ,,_ -*> Snort! <*- o" )~ Version 2.9.3.1 IPv6 GRE (Build 40) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.4.0 Using PCRE version: 8.30 2012-02-04 Using ZLIB version: 1.2.7 And it has run for a full 24 hours, and the only alert (50 of them) that I have is stream5: Reset outside window. I even ran an external Nmap scan, and I received a "Portscan alert" and then everything else showed up as a stream5 alert. What did I miss in my configuration? JoeWhat rulesets have you enabled and what's your home_net and external_net look like? James
How big is that snort.rules file? Mine is about 16 megs.
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort only produces Steam5 alerts Joe Seanor (Sep 27)
- Message not available
- Message not available
- Re: Snort only produces Steam5 alerts James Lay (Sep 27)
- Message not available
- Message not available
- Re: Snort only produces Steam5 alerts Jefferson Diego Diede (Sep 28)
- Re: Snort only produces Steam5 alerts Joel Esler (Sep 30)