Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: only alerts on incoming traffic.

From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Tue, 24 Feb 2009 15:18:00 -0500
I'm guessing your running snort on the same system you are generating
the outgoing traffic?

If so try running with "-k none"

Cheers,
-matt

On Tue, Feb 24, 2009 at 2:37 PM, jkv <jkv () unixcluster dk> wrote:

Hi,

I'm having trouble getting snort to trigger rules on outgoing
connections, inbound connections works just fine.
For debugging this issue i have disabled all my normal rules and made a
few debug rules:

alert tcp any any -> 90.185.105.45 25 (msg:"DEBUG: SMTP INCOMMING";
sid:22222222;)
alert tcp 90.185.105.45 any -> any 25 (msg:"DEBUG: SMTP OUTGOING";
sid:11111111;)

(90.185.105.45 is my static ip, normally i use HOME_NET for this but
since i am debugging i have hardcoded the IP in the rules)

With these two rules i get snort alerts if i generate port 25 from a
remote server to my server - so far so good. But if i from my server
initiate a port 25 connections to some remote smtp server i dont get any
snort alerts.

Anyone got any ideas about why this is happening?

Regards,
jkv





------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: