Snort mailing list archives
Only seeing TCP Alerts
From: Matt Martin <MMartin () jwpepper com>
Date: Wed, 11 Jun 2014 21:13:27 +0000
Hello All, I have recently gotten Snort 2.9.6.0 installed, along with Barnyard2, Oinkmaster, and BASE as the frontend. When I open the web page on the server for BASE and view the home page I only see, TCP (100%), in the "Traffic Profile by Protocol". Everything else, is showing 0%. For example, I see: TCP (100%) UDP (0%) ICMP (0%) Portscan Traffic (0%) I'm wondering why ALL the others are at 0%? Over the last 48 hours or so there has to have been some kind of UDP traffic, don't ya think? I also attempted to run a portscan (*using "nmap 10.60.114.0/24") on the whole ipvar configured for HOME_NET. But I don't think the Portscan part was picked up either... If I check the MySQL database for snort, the "tcphdr" table has tons of data in it, but the "udphdr" table is completely empty. If I run "select * from udphdr", mysql returns "Empty set (0.00 sec)". So I'm not sure if I have snort configured correctly or not..? Is there any tests that anyone could suggest to help me figure out why UDP, ICMP and Portscan are not being picked up? If you need to see my snort.conf, just let me know. If so does the mailing-list take attachments? Any thoughts or suggestions would be much appreciated! Thanks in Advance, Matt
------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Only seeing TCP Alerts Matt Martin (Jun 11)