RE: [Snort-users] Cant see alert for rule

permalink · #1 (**permalink**) 06-02-2004

This is a multi-part message in MIME format.

------=_NextPart_000_0002_01C448A6.B1280EE0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I pulled out my Linksys switch and put in an old 10/100 5-port workgroup
hub. Same problem.
=20
Any one have any ideas?
=20
thanks

-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Tom Fulton
Sent: Wednesday, June 02, 2004 12:37 PM
To: Snort-users@lists.sourceforge.net
Subject: [Snort-users] Cant see alert for rule

1)=20
Snort 2.0.6 on linux=20

2)=20
Three pcs:=20
1 2 3=20
w2kPC victim linux attacker linux snort box=20

3)=20
I run:=20
Snort -d -e -v -c /etc/snort/snort.conf (no errors)=20

4)=20
Rule in <file://ftp.rules> ftp.rules is:=20
Alert tcp any any -> any 21 (content: "USER administrator"; msg: "FTP
administrator login attempt";)=20

5)=20
When I run: ftp <IPVictim> from linux attacker, I don't get any rules =
fired
on my snort box.=20

6)=20
I have a Gigabit Linksys 5-port workgroup switch between them all=20

Why am I not able to see the alert?=20

Thanks!=20

------=_NextPart_000_0002_01C448A6.B1280EE0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR></HEAD>
<BODY>
<DIV>I=20
pulled out my Linksys switch and put in an old 10/100 5-port workgroup=20
hub.  Same problem.</DIV>
<DIV> </DIV>
<DIV>Any=20
one have any ideas?</DIV>
<DIV> </DIV>
<DIV>thanks</DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma size=3D2>-----Original Message----- From:=20
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of =
Tom=20
Fulton Sent: Wednesday, June 02, 2004 12:37 PM To: =

Snort-users@lists.sourceforge.net Subject: [Snort-users] =
Cant see=20
alert for rule </DIV>
1) Snort 2.0.6=20
on linux 
2) Three=20
pcs:   =
1    =20
       =20
       =20
2      =20
       =20
        3 w2kPC =
victim       &n bsp; =20
linux=20
=
attacker           &nbsp=
;       =20
linux snort box 
3) I run:=20
 Snort -d -e -v -c=20
/etc/snort/snort.conf     (no errors) =
 
4) Rule in=20
<A href=3D"file://ftp.rules">ftp.rules</A> =
is: <FONT=20
face=3DArial size=3D2>Alert tcp any any -> any 21 (content: "USER=20
administrator"; msg: "FTP administrator login attempt";) =
 
5) When I run:=20
ftp <IPVictim>  from linux attacker, I don’t get any =
rules fired on=20
my snort box. 
6) I have a=20
Gigabit Linksys 5-port workgroup switch between them all =
 
Why am I not able to see the =
alert? 
Thanks! =
</BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0002_01C448A6.B1280EE0--

-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode