Re: real basic starter rules

[Harry Putnam <reader () newsguy com>]

Harry Putnam <reader () newsguy com> writes:

> > If you don't see massive quanties of ftp foo going both ways.
>
> Hot dog... there it is.

I think I spoke to soon.  Haven't got it made in the shade just yet.

I tried it against a different machine on the network and get nothing
at all.

It turned out (I think this is why) that my dsl/router to which all
boxes were connected is also a switch.  So, I went and bought a simple
hub.  NETGEAR 108 (8 ports), and at least the guy in comp.usa said it
isn't switched.  And the specs say nothing about switch.

However, with that hooked up as in this picture:

                 INTERNET   
                    |
                 ADSL MODEM (IP ADDRESS [static])
                    |
_______NETGEAR FR314 .1 (ROUTER/switch/firewall)______________
|            |             |           |            |
.2          .3             |          .9           .6
                           |
                       simple hub          
                       |        |
                       |        |
                      .5       .4
                       |
               snort running 
                    here.


  echo "log tcp 192.168.0.4 any ->  128.111.24.43 21" >snort.conf
  rm -rf log
  mkdir log
  snort -d -l log -c snort.conf


Then slide over and check ifconfig on 192.168.0.4

I see it is 192.168.0.4 on Eth0 

fire up an ftp session on 192.168.0.4

ftp 128.111.24.43
Connect and cd to pub then ls
close down ftp session

Break out of the snort process and
    root # ls -l log
 total 0
 -rw-------    1 root     root            0 Apr 26 15:04 alert

No traffic.





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users