SV: Snort doesnt detect traffic.

[<Magnus.M.Glantz () telia se>]

-----Original message----- 
Från: Erek Adams [mailto:erek () theadamsfamily net] 
Skickat: on 2002-05-29 19:57 
Till: Glantz, Magnus M. /Communications /070-211 99 22, 070-211 99 22 
Kopia: snort-users () lists sourceforge net 
Ämne: Re: [Snort-users] Snort doesnt detect traffic.
On Wed, 29 May 2002 Magnus.M.Glantz () telia se wrote:

[...snip...]

> Will there be any problems detecting alerts?
> I noticed that you have to define a HOME_NET and EXTERNAL_NET..
> But, for me, it's the same.
> I defined HOME_NET to 192.168.135.0/24 and EXTERNAL_NET to Any
> I've also tried to do vice versa and define 192.168.135.0/24 to both....

> > var HOME_NET 192.168.135.0/24
> > var EXTERNAL_NET !$HOME_NET


Will that work?

The scenario when an IP-adress that is not 192.168.135.0/24 comes into the net, 

doesnt exist. there is no routing between the private network i'm defending and the Internet/my other private network.

 

What i'm afraid, is that box1, box2 or box3 get's hacked (they are conencted to the internet) and tries to hack my 
MsSQL server.. so i wanna sniff for known attacks, and traffic that is between box1, box2, box3 <-> mssql server, and 
does not goto the sqlport on the mssql server.


> pretty ascii:

> > Ummmm...  Not quite pretty...  :-/  But I can guess the issue.

> other net---mssql----     Hub     ----Snort
>                                   |       |     |
>                              box1 box2 box3
>                                |         |       |
>                                   Internet

> > [...snip...]

> > http://www.snort.org/docs/faq.html#6.21

> > I'm going to guess that's what your problem is.  If you have all of your
> > devices working at the same speed, then it will work as you expect.  Mixed bag
> > of 10/100 and you only see that type of traffic.

> > Try changing out your hub to a 'dumb' hub and see if that helps.
To my knowledge, it is a 'dumb' hub. I know it's not a switch anyways.

But maybe it got some "switch" properies that is messing up my sniffing?


> > Cheers!  Oh--And one penalty drink.  ;-)
I'm on it.. :-D
-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

Best regards,

//Magnus Glantz


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users