Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Question about SNORT Sensor Placement

From: bk6662 () cox net
Date: Tue, 31 Dec 2013 18:45:02 +0000 (GMT)
Hello group,

I know that you receive lots of questions on this topic.  But I think I 
have followed at least most of the suggestions, and have narrowed down 
to possibly a problem with the RULE set that I am using.  I recently 
installed Ubuntu and SNORT, following David Gullett's installation 
guide.    Everything appears to be working - except.....

I designed my network exactly as described in the diagram of that guide. 
My ISP cable modem connects to a router, which connects to a switch 
(with a mirrored port).  My firewall is connected to this same switch; 
other end of the firewall connects my internal LAN.

The SNORT sensor is in the receiver port of the mirrored switch.  I have 
(using WireShark) verified that this port is seeing *all* traffic coming 
and going to my internal network.  But I'm not getting any SNORT alerts. 
This even after I ran complete NMAP scans of my network, both from 
within the internal LAN, and also from the segment where the SNORT 
sensor is located.  It seems that these scans should be generating 
thousands of alerts.

In order to make sure the installation is working I briefly implemented 
a local rule to alert on *all* traffic.  It generated about 5,000 hits 
within less than a minute.  So I think it's working properly.  I'm 
guessing the issue is with my rules?

Please let me know how I can troubleshoot this issue, to determine where 
the problem lies.  I'll be the first to admit I'm new to SNORT.

Thank you!
Brian

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: