Snort not capturing any events from internal NICS lan's



  • Hello All,

    I have SNORT package installed2.9.2.3 pkg v. 2.5.4along with SQUID3.1.20 pkg 2.0.6and NTOP```
    5.0.1 v2.3

    Snort configured to listen on the Internal LAN, since a while i don't see alert that produce on related Bittornet or all kind of HTTP malwares , i know that they happen since we caught few users by mistake.
    Also i did test myself with bittornet and didn't had any alert, its was working before .
    My question is is it possible that its stooped alerting on internal interface HTTP related to the fact SQUID is on transparent mode and operate on Internal LAN or NTOP that also listen to internal LAN?
    If yes how is it possible to make it coexist together by keeping transparent mode and still getting alerts from SNORT on such events
    
    Please advice
    Thanks


  • anyone????



  • It is possible that the default $HOME_NET setting and whitelist association may be "swallowing" the alerts.  If you have the Squid box with an IP that is within your $HOME_NET IP block, then it would get automatically added to the whitelisting file and not generate alerts.  Some changes were made recently in the code sections that auto-generate the $HOME_NET values so that then entire LAN subnet gets added.  I think that $HOME_NET is also the "default" whitelisted network if you do not explicitly set a whitelist.

    Bill



  • Hi,
    Just found out what was wrong , since the HTTP is routed to port 3128 with SQUID i had to fill out Define variable HTTP_PORTS 80 and 3128
    now i have all alerts showing as used to

    Thanks


Log in to reply