Snort mailing list archives
RE: Snort-users digest, Vol 1 #4232 - 9 msgs
From: "MOUTON Michael OF/UNPS" <michael.mouton () orangefrance com>
Date: Thu, 13 May 2004 18:58:06 +0200
-----Message d'origine----- De : snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]De la part de snort-users-request () lists sourceforge net Envoyé : jeudi 13 mai 2004 18:12 À : snort-users () lists sourceforge net Objet : Snort-users digest, Vol 1 #4232 - 9 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. snort and firewall all in one machine (Peggy Kam) 2. logging to a remote database with mudpit (Maetzky, Steffen (Extern)) 3. RE: snort and firewall all in one machine (Harper, Patrick) 4. Re: snort and firewall all in one machine (Peggy Kam) 5. RE: Snort but no alert (nyarlathothep () libero it) 6. RE: logging to a remote database with mudpit (Lance Boon) 7. Detecting SYN Floods (Sheahan, Paul) 8. Re: snort and firewall all in one machine (Matt Kettler) 9. display/log IPv6 traffic ? (Akolinare () gmx net) --__--__-- Message: 1 Date: Thu, 13 May 2004 09:52:01 -0400 From: Peggy Kam <ppkam () n-dsi com> To: snort-users () lists sourceforge net Subject: [Snort-users] snort and firewall all in one machine Hi, I am currently running the firewall and snort within the same machine; and snort is having its detections before firewall blocks the packets. I would like to use snort to test if my firewall actually blocks the packets launched by attackers. Would anyone give me some advice on how I could configure IDS to do its detections after the firewall blocks the packets by its rules? Thanks in advance, Peggy --__--__-- Message: 2 From: "Maetzky, Steffen (Extern)" <Steffen.Maetzky () gedas de> To: "'Snort-users () lists sourceforge net'" <Snort-users () lists sourceforge net> Date: Thu, 13 May 2004 15:53:52 +0200 Subject: [Snort-users] logging to a remote database with mudpit Hi, I try to put data from a host to a mysql-database on a remote one with mudpit but I get the following error message: Host 'hostname' is not allowed to connect to this MySQL Server error initializing ".../mp_acid_out.so": retrying unrecognized parameter "server" On the remote-host I have given the grants: grant INSERT,SELECT on snort.* to snort identified by 'password'; flush privileges; On the local host I use (mudpit.conf): spool "/var/log/snort" { lock = "mysql" delete_processed user="root" output=".../mp_acid_out.so", "server <remote server ip>, user snort, password <password>, database snort, interface eth1" } I don't know what's going wrong. Any ideas? Thanks in advance, Steffen --__--__-- Message: 3 From: "Harper, Patrick" <patrick.harper () phns com> To: "Peggy Kam" <ppkam () n-dsi com>, <snort-users () lists sourceforge net> Date: Thu, 13 May 2004 09:38:00 -0500 Subject: RE: [Snort-users] snort and firewall all in one machine You need to have snort listening on your inside interface. It uses libpcap so it see's traffic at the same time as the firewall. -----Original Message----- From: Peggy Kam [mailto:ppkam () n-dsi com]=20 Sent: Thursday, May 13, 2004 7:52 AM To: snort-users () lists sourceforge net Subject: [Snort-users] snort and firewall all in one machine Hi, I am currently running the firewall and snort within the same machine; and snort is having its detections before firewall blocks the packets. =20 I would like to use snort to test if my firewall actually blocks the packets launched by attackers. Would anyone give me some advice on how I could configure IDS to do its detections after the firewall blocks the packets by its rules? Thanks in advance, Peggy ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=3D2562&alloc_id=3D6184&op=3Dclick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users Disclaimer: This electronic message, including any attachments, is confidential and int= ended solely for use of the intended recipient(s). This message may contain= information that is privileged or otherwise protected from disclosure by a= pplicable law. Any unauthorized disclosure, dissemination, use or reproduct= ion is strictly prohibited. If you have received this message in error, ple= ase delete it and notify the sender immediately.=20 --__--__-- Message: 4 Date: Thu, 13 May 2004 10:55:04 -0400 From: Peggy Kam <ppkam () n-dsi com> To: "Harper, Patrick" <patrick.harper () phns com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort and firewall all in one machine I have already set up snort to monitor the external and internal interfaces. I have already opened my firewall and I already have the ips for int and ext interfaces under homenet, however, I could only see the packets coming in from the ext. interface, nothing was seen in the internal interface. Please advice. Thanks, Peggy Harper, Patrick wrote:
You need to have snort listening on your inside interface. It uses libpcap so it see's traffic at the same time as the firewall. -----Original Message----- From: Peggy Kam [mailto:ppkam () n-dsi com] Sent: Thursday, May 13, 2004 7:52 AM To: snort-users () lists sourceforge net Subject: [Snort-users] snort and firewall all in one machine Hi, I am currently running the firewall and snort within the same machine; and snort is having its detections before firewall blocks the packets. I would like to use snort to test if my firewall actually blocks the packets launched by attackers. Would anyone give me some advice on how I could configure IDS to do its detections after the firewall blocks the packets by its rules? Thanks in advance, Peggy ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Disclaimer: This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately.
--__--__-- Message: 5 Date: Thu, 13 May 2004 17:08:42 +0200 Subject: RE: [Snort-users] Snort but no alert From: "nyarlathothep\@libero\.it" <nyarlathothep () libero it> To: "nduda" <nduda () VistaPrint com> Cc: "snort-users" <snort-users () lists sourceforge net> The rule path is correct, Snort says 1991 rules when it starts up... =0D = I think that is something about the net configuration, even if I dont kno= w what could be :( If I use snort like a sniffer, snort -dev -i eth1 I= l see lot and lot and lot of traffics! eth1 is the interface WITHOUT= IP address connected to the switch. eth0 is connected to the inside netw= ork All the traffic from the others subnets is sent to the IDS by the= switch... Snort works well when it was connected locally, it stops t= o work when I connect the IDS to the switch, but the sensor sees the = traffica but report only the rules I've posted, Matteo
Is the rul=
es path correct? /etc/snort/rules/xxxxx.rules , It seems the
only rule=
s processing are the one statically assigned in the .conf file.
I woul=
d cleanup/rework the conf file a bit.
In your snort startup script=
, are you listening on the correct
interface? Try doing this: /=
path/to/snort -i eth1 (then your other switches , like path to config
=
file and such). What is the output?
-----Original Message----- =
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admi=
n () lists sourceforge net] On Behalf Of
nyarlathothep () libero it Sent:=
Wednesday, May 12, 2004 11:02 AM
To: snort-users Subject: [Snort-u=
sers] Snort but no alert
Hello everyone, I'm still here with m=
y problem.
I've a snort debian box that listen on an interface (eth1, =
without ip
address) on the external net while is connected on eth0 =
to the internal net,
interface that I use to read the data that Sno=
rt puts in the database.
The problem that I dont receive rules alerts,=
except for ICMP
destination unreaceable, but only preprocessor ale=
rt, even when I try to scan the
box with Nessus or NMap. I hope =
that someone could help me,
(ps I've attach my conf file, all the =
rules are sselected)
Thanks, Matteo SNORT.CONF =0D
=
var HOME_NET 10.1.0.0/24 var EXTERNAL_NET any var DNS_SERVERS $HO=
ME_NET
var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var=
SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET var SNMP_SERVER=
S $HOME_NET
var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE=
_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.1=
4/24,64.12.28.0/24,64.12.29.0/24,
64.12.161.0/24,64.12.163.0/24,205.18=
8.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort/rules pre=
processor flow: stats_interval 0 hash 2
preprocessor frag2 prep=
rocessor stream4: disable_evasion_alerts detect_scans
preprocessor str=
eam4_reassemble
preprocessor http_inspect: global iis_unicode_map unic=
ode.map 1252
preprocessor http_inspect_server: server default profile =
apache ports {
80 8080 8180 } oversize_dir_length 500 prepro=
cessor rpc_decode: 111 32771
preprocessor bo =
preprocessor telnet_decode
=0D
=
preprocessor flow-portscan: talker-slid=
ing-scale-factor 0.50
talker-fixed-threshold 30 talker-sliding-thresho=
ld 30
talker-sliding-window 20 talker-fixed-window 30 scoreboard-ro=
ws-talker 30000 server-watchnet
$HOME_NET server-ignore-limit 200 s=
erver-rows 65535 server-learning-time 14400
server-scanner-limit 4 sca=
nner-sliding-window 20
scanner-sliding-scale-factor 0.50 scanner-fi=
xed-threshold 15 scanner-sliding-threshold 40
scanner-fixed-window 15 =
scoreboard-rows-scanner 30000 src-ignore-net
$HOME_NET dst-ignore-n=
et [10.0.0.0/30] alert-mode once output-mode msg
tcp-penalties on =0D
=
output dat=
abase: alert, postgresql, user=3Dpostgres dbname=3Dsnort
host=3Dlocalh=
ost
include classi=
fication.config
=
include
reference.config
=
include $RULE_PATH/local.rules =0D
=
include=0D
=
$RULE_PATH/bad-traffic.rules
=
include
$RULE_PATH/exploit.rules ... =
ALERT [**] [1:485:2] ICMP Destination Unreachable (Communicati=
on
Administratively Prohibited) [**] [Classification: Misc activ=
ity] [Priority: 3]
05/12-15:47:42.319644 193.207.171.97 -> 151.11.129.=
212
ICMP TTL:247 TOS:0x20 ID:47996 IpLen:20 DgmLen:56 Type:3 Code:=
13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTE=
RED
** ORIGINAL DATAGRAM DUMP: 151.11.129.212:135 -> 172.133.197.74=
:2249
TCP TTL:254 TOS:0x40 ID:0 IpLen:20 DgmLen:40 DF Seq: 0x0 Ack=
: 0x0
** END OF DUMP [**] [121:4:1] Portscan detected from 200.=
191.164.142 Talker(fixed: 30
sliding: 30) Scanner(fixed: 0 sliding:=
0) [**]
05/12-15:49:09.988413 [**] [121:4:1] Portscan detected=
from 192.168.150.2 Talker(fixed: 2
sliding: 30) Scanner(fixed: 0 s=
liding: 0) [**]
05/12-15:50:39.821253 [**] [121:4:1] Portscan d=
etected from 66.185.41.191 Talker(fixed: 30
sliding: 30) Scanner(fi=
xed: 0 sliding: 0) [**]
05/12-15:52:53.437042 [**] [105:1:1] (s=
po_bo) Back Orifice Traffic detected [**]
05/12-15:53:38.001287 192.16=
8.150.2:53239 -> 213.178.220.130:31337
UDP TTL:61 TOS:0x0 ID:22741 IpL=
en:20 DgmLen:46
Len: 18 [**] [105:1:1] (spo_bo) Back Orifice Tr=
affic detected [**]
05/12-15:53:40.994216 192.168.150.2:53239 -> 213.1=
78.220.130:31337
UDP TTL:61 TOS:0x0 ID:22742 IpLen:20 DgmLen:46 Len=
: 18
[**] [121:4:1] Portscan detected from 210.95.44.31 Talker(fix=
ed: 30
sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-16:0=
7:01.105576
[**] [1:487:2] ICMP Destination Unreachable (Communica=
tion with
Destination Network is Administratively Prohibited) [**]=0D
=
[Classification: Misc activity] [Priority: 3] 05/12-16:07:27.486375 =
147.123.1.42 -> 213.178.220.1
ICMP TTL:62 TOS:0x0 ID:41603 IpLen:20 Dg=
mLen:56
Type:3 Code:9 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROH=
IBITED
NETWORK FILTERED ** ORIGINAL DATAGRAM DUMP: 213.178.22=
0.1:53 -> 69.50.179.2:60369
UDP TTL:61 TOS:0x0 ID:43291 IpLen:20 DgmLe=
n:199
Len: 171 ** END OF DUMP [**] [1:487:2] ICMP Destinatio=
n Unreachable (Communication with
Destination Network is Administra=
tively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]=0D
=
05/12-16:07:42.725148 147.123.1.42 -> 213.178.220.1 ICMP TTL:62 TOS:=
0x0 ID:46666 IpLen:20 DgmLen:56
Type:3 Code:9 DESTINATION UNREACHABL=
E: ADMINISTRATIVELY PROHIBITED
NETWORK FILTERED ** ORIGINAL DATA=
GRAM DUMP:
213.178.220.1:53 -> 69.50.179.14:46007 UDP TTL:61 TOS:0x=
0 ID:43292 IpLen:20 DgmLen:199
Len: 171 ** END OF DUMP [**] =
[121:4:1] Portscan detected from 69.44.61.30 Talker(fixed: 30
sliding:=
30)
Scanner(fixed: 0 sliding: 0) [**] 05/12-16:23:58.282652 =0D
=
[**] [121:4:1] Portscan detected from 151.11.129.54 Talker(fixed: 30=0D
=
sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-16:28:50.508=
095
------------------------------------------=
-------------
This SF.Net email is sponsored by Sleepycat Software =
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
=
deliver higher performing products faster, at low TCO.
http://www.slee=
pycat.com/telcomwpreg.php?From=3Ddnemail3
____________________________=
___________________
Snort-users mailing list Snort-users () lists sour=
ceforge.net
Go to this URL to change user options or unsubscribe: h=
ttps://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users li=
st archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dort-users=0D
=
------------------------------- ----------------------------= --- ------ Matteo Poropat mailto:nyarlathothep@liber o.it http://www= .genhome.org http://books.dreambook.co m/mefistofele74/genhome. html=0D = ------------------------------- ------------------------------- ------ --__--__-- Message: 6 Subject: RE: [Snort-users] logging to a remote database with mudpit Date: Thu, 13 May 2004 10:28:24 -0500 From: "Lance Boon" <lboon () firststatebanksw com> To: <snort-users () lists sourceforge net> I'm confused now, you say you tried this from your remote host and it = works, but trying the same from the other host failed??? Have you = granted the "other" host privileges on the MySql server? -----Original Message----- From: Maetzky, Steffen (Extern) [mailto:Steffen.Maetzky () gedas de]=20 Sent: Thursday, May 13, 2004 9:45 AM To: Lance Boon Subject: AW: [Snort-users] logging to a remote database with mudpit Trying this from my remote host works. Trying the same from the other host failed=20 -----Urspr=FCngliche Nachricht----- Von: Lance Boon [mailto:lboon () firststatebanksw com]=20 Gesendet: Donnerstag, 13. Mai 2004 16:24 An: Maetzky, Steffen (Extern) Betreff: RE: [Snort-users] logging to a remote database with mudpit Have you tried just logging into the mysql server from your remote host? For example mysql -h192.168.1.1 -usnort -p snort Just substitute the ip = I put in there for your mysql server's ip.=20 -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Maetzky, Steffen (Extern) Sent: Thursday, May 13, 2004 8:54 AM To: 'Snort-users () lists sourceforge net' Subject: [Snort-users] logging to a remote database with mudpit Hi, I try to put data from a host to a mysql-database on a remote one with mudpit but I get the following error message: Host 'hostname' is not allowed to connect to this MySQL Server error initializing ".../mp_acid_out.so": retrying unrecognized parameter "server" On the remote-host I have given the grants: grant INSERT,SELECT on snort.* to snort identified by 'password'; flush privileges; On the local host I use (mudpit.conf): spool "/var/log/snort" { lock =3D "mysql" delete_processed user=3D"root" output=3D".../mp_acid_out.so", "server <remote server ip>, user snort, password <password>, database snort, interface eth1" } I don't know what's going wrong. Any ideas? Thanks in advance, Steffen ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now = for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=3D2562&alloc_id=3D6184&op=3Dclick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users --__--__-- Message: 7 Date: Thu, 13 May 2004 11:41:43 -0400 From: "Sheahan, Paul" <Paul.Sheahan () priceline com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] Detecting SYN Floods This is a multi-part message in MIME format. ------_=_NextPart_001_01C43900.CA527138 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable =20 I would like to do both of the following with Snort: =20 * Detect a high number of SYNs from one source over a short period of time * Detect a high number of requests for a web page over a short period of time =20 Just curious if anyone has found a good way to do this with Snort. =20 Thanks ------_=_NextPart_001_01C43900.CA527138 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40";> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)"> <style> <!-- /* Font Definitions */ @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} span.EmailStyle17 {mso-style-type:personal-compose; font-family:Arial; color:windowtext;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} /* List Definitions */ @list l0 {mso-list-id:1514298112; mso-list-type:hybrid; mso-list-template-ids:-1614804738 67698689 67698691 67698693 67698689 = 67698691 67698693 67698689 67698691 67698693;} @list l0:level1 {mso-level-number-format:bullet; mso-level-text:\F0B7; mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>I would like to do both of the following with = Snort:<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <ul style=3D'margin-top:0in' type=3Ddisc> <li class=3DMsoNormal style=3D'mso-list:l0 level1 lfo1'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>Detect a high number = of SYNs from one source over a short period of = time<o:p></o:p></span></font></li> <li class=3DMsoNormal style=3D'mso-list:l0 level1 lfo1'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>Detect a high number = of requests for a web page over a short period of = time<o:p></o:p></span></font></li> </ul> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Just curious if anyone has found a good way to do = this with Snort.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Thanks<o:p></o:p></span></font></p> </div> </body> </html> ------_=_NextPart_001_01C43900.CA527138-- --__--__-- Message: 8 Date: Thu, 13 May 2004 12:09:26 -0400 To: Peggy Kam <ppkam () n-dsi com>, snort-users () lists sourceforge net From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] snort and firewall all in one machine At 09:52 AM 5/13/2004, Peggy Kam wrote:
I am currently running the firewall and snort within the same machine; and snort is having its detections before firewall blocks the packets. I would like to use snort to test if my firewall actually blocks the packets launched by attackers. Would anyone give me some advice on how I could configure IDS to do its detections after the firewall blocks the packets by its rules?
You can get some of what you want by forcing the IDS to sniff the inside interface instead of the outside. Packets from the outside that were blocked will never make it to the inside. However, there's no way for snort to detect "post firewall".. snort uses libpcap. Libpcap is fundamentally very low-level and picks up packets at a very low level off the ethernet driver, long before the TCP/IP stack gets them. --__--__-- Message: 9 Date: Thu, 13 May 2004 18:11:11 +0200 (MEST) From: Akolinare () gmx net To: snort-users () lists sourceforge net Subject: [Snort-users] display/log IPv6 traffic ? Hi, I startet snort in a IPv6 network. The summary screen, displayed at exiting snort display the correct number of IPv6 pakets but none of them are logged in logfiles or displayed at the console (with -v). Is it not possible to display/log IPv6 traffic with snort ? I used the latest version 2.1.2. regards Markus -- "Sie haben neue Mails!" - Die GMX Toolbar informiert Sie beim Surfen! Jetzt aktivieren unter http://www.gmx.net/info --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #4232 - 9 msgs MOUTON Michael OF/UNPS (May 13)