Hosting Provided By

RE: [Snort-users] (no subject)

From: Don Weber <Don(at)WeberOnTheWeb.com>
Date: Tue Apr 08 2003 - 19:44:50 EDT

How bout giving us the command line you used to start snort, and, did you stop and restart snort? If you used the command line to for viewing, what you might be seeing is all the traffic that is normally 'seen', not necessarily 'alerting' on that traffic, or are you getting alerts outside your defined rule

Don

-----Original Message-----
From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of ryan stangl
Sent: Tuesday, April 08, 2003 3:54 PM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] (no subject)

I was hoping that someone could help me, I am running snort 1.9 on Win2K. I got it to run and on our little moch network I can see other computers trying to get in, for example I can see a ping, or a sweep. So I assumed that it was working. Then I wanted to see if I could get one of my rules to work, so I added a rules text where all the other rules where, and gave it a .rules extension, I made just a simple one alert tcp <ip/24>500:2000 -> <ip/24> any. Then in the snort config file I placed a # in front of all of the rules listed and added a path to the rule file I made. My thinking was that I would recieve only instances that I specified where anything coming from not my computer between port 500 and 2000 trying to go to my computer by any port, but that wasn't the case, I was getting everything as I was before, comming from any port. It seemed A.) that my rule file wasn't working, and B.) that all the rule files where a ctivated again, WHY IS THIS. If anyone can help me out here it would be greatly appreciated. Thanks

Ryan

MSN 8 helps ELIMINATE <http://g.msn.com/8HMUENUS/2752> E-MAIL VIRUSES. Get 2 months FREE*.

This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Tue Apr 8 20:14:08 2003

This message: [ Message body ]
Next message: Tom Culpepper: "Re: [Snort-users] stealth interface"
Previous message: Eric Baur: "RE: [Snort-users] stealth interface"
In reply to: ryan stangl: "[Snort-users] (no subject)"
Reply: Charles Heselton: "RE: [Snort-users] New Snort Mapping application...looking for feedback"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 11:51:02 EDT