Re: [Snort-users] $HOME_NET

From: Erek Adams <erek(at)snort.org>
Date: Tue Apr 08 2003 - 13:01:13 EDT

On Tue, 8 Apr 2003, Keg wrote:

> Sorry, but it looks like I'm going in circles....if $EXTERNAL_NET is set

Yes, that's right.

> But what happens is the following:

What alerts do you EXPECT to see? If there aren't rules for them, or the Win32 server isn't vulnerable to that attack, then you won't see any alerts. When running Snort I see any alert that I have a rule for. Running on my laptop off of a cable modem, I see tons of ping scans and SQL Slammer worms flying by. Snort isn't biased about Win32 or *NIX. :) I really think there's something odd about your setup.

If you run snort in sniffer mode (snort -vd) can you see traffic directed at the Win32 box? To really test, use a external traceroute server and ping your Win32 box (route-server.{cerf,exodus}.net). If you can see the ping then there's something else wrong.

> P.S. I do realize that it is hard to give a defenite answer without

:) Yep, quite often helping is sorta like juggling chainsaws.

If you'd like to go into more detail, feel free to drop me private email.

Cheers!

---

Erek Adams

   "When things get weird, the weird turn pro." H.S. Thompson

---

This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Tue Apr 8 13:17:32 2003