Well... Snort is definitely not seeing anything. We do have a Dynamic VLAN
setup in Test right now, and it detected the bittorrent activity
immediately. So... somehow I guess Snort isn't binding to the VLAN
interfaces for our Inline connections properly? We haven't setup a proper
SPAN interface in our Production environment yet, but maybe that's required?
Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630
On Wed, Feb 24, 2016 at 4:21 PM, Louis Munro <[email protected]> wrote:
>
>
> On Feb 24, 2016, at 10:08 , Nathan, Josh <[email protected]> wrote:
>
> Thanks for the reply Louis! I actually ended up having to use the
> /usr/local/pf/*var*/conf/snort.conf file as it didn't like the variables,
> etc, in the pre-processed version.
>
>
> That is actually my mistake.
> The patch really should be the one under var/conf/.
>
> It is *NOT* showing any bittorrent activity.
>
>
> I'm sorry to say that I'm not sure where to look to figure out why it's
> not working. I guess I've relied too much on it working "out of the box".
> Where should I start for figuring out why Snort isn't detecting bittorrents?
>
>
> Make sure traffic is actually forwarded to the interface that snort is
> listening to.
> Does snort show actual packets being seen and counted in it’s statistics?
>
>
> The way I handle these issues usually is to start with a fake known
> signature.
> Something along the lines of
>
> alert ip any any -> any any ( msg: "ICMP packet detected!"; sid: 1; )
>
> added to the local rules under conf/snort/
>
> Should detect any ICMP packet seen by the interface.
> You could then ping your gateway and (assuming that traffic is forwarded
> to snort) it should detect it.
> That would demonstrate that rules processing is actually working.
>
> It’s then a matter of making sure you have a rule to match bittorrent.
> Check your snort.conf to see which rules are included.
>
>
> Regards,
> --
> Louis Munro
> [email protected] :: www.inverse.ca
> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
