[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: [Snort-users] SNORT NIDS mode
From: Time Traveler via Snort-users <snort-users () lists ! snort ! org>
Date: 2021-03-24 20:10:11
Message-ID: CAHPVVZo0LrcXxaYz9rfZ0LcGyfQOyOkM1E+3jaAKACew0zjSQw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello,
I'm seeking some guidance on my Snort NIDS setup. It's fully configured and
is actively running. Snort is configured on Ubuntu 20.04 on a VM. When I
was going through the initial setup where I needed to test Snort by pinging
it from another machine, it worked fine. The ICMP ping requests were
detected and it was alerting in the terminal. Now that it's fully
configured with PulledPork, I am not getting any alerts when pinging the
Snort VM. I've checked /var/log/snort and I see two files: alert_fast.txt
and snort.pid.
Viewing the alert_fast.txt file, there isn't anything in it. I passed ls
-sh to confirm, and the file is indeed empty.
My goal is to utilize Snort as our NIDS for our entire enterprise network.
I've asked before if Snort needed to be configured to be inline and I was
told that it doesn't need to.
My home net settings are as follows:
HOME_NET = '10.x.x.x/24, 10.x.x.x./24, Domain Controller 1 IP, Domain
Controller 2 IP'
EXTERNAL_NET = 'any'
If I ping any of the IP's within that subnet or either of the DC's, SNORT
is not alerting (detecting) these ICMP's. Is there anything else I might be
missing? I followed the Snort3_3.1.0.0 on Ubuntu_18_20 Installation manual.
Rules/blacklists were pulled and updated. Snort is active and running since
February '21.
Thanks!
[Attachment #5 (text/html)]
<div dir="ltr">Hello,<div>I'm seeking some guidance on my Snort NIDS setup. \
It's fully configured and is actively running. Snort is configured on Ubuntu \
20.04 on a VM. When I was going through the initial setup where I needed to test \
Snort by pinging it from another machine, it worked fine. The ICMP ping requests were \
detected and it was alerting in the terminal. Now that it's fully configured with \
PulledPork, I am not getting any alerts when pinging the Snort VM. I've checked \
/var/log/snort and I see two files: alert_fast.txt and \
snort.pid.</div><div><br></div><div>Viewing the alert_fast.txt file, there isn't \
anything in it. I passed ls -sh to confirm, and the file is indeed empty. \
</div><div><br></div><div>My goal is to utilize Snort as our NIDS for our entire \
enterprise network. I've asked before if Snort needed to be configured to be \
inline and I was told that it doesn't need to. </div><div><br></div><div>My home \
net settings are as follows:</div><div><br></div><div>HOME_NET = '10.x.x.x/24, \
10.x.x.x./24, Domain Controller 1 IP, Domain Controller 2 \
IP'</div><div><br></div><div>EXTERNAL_NET = \
'any'</div><div><br></div><div>If I ping any of the IP's within that \
subnet or either of the DC's, SNORT is not alerting (detecting) these ICMP's. \
Is there anything else I might be missing? I followed the Snort3_3.1.0.0 on \
Ubuntu_18_20 Installation manual. Rules/blacklists were pulled and updated. Snort is \
active and running since February '21.</div><div><br></div><div>Thanks! \
</div></div>
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic