Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Linux » Confused by results from two versions of snort

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Confused by results from two versions of snort


Posted by trwagner1 on October 20, 2006 08:43:00

We have had Snort 1.1.2 (zora) with BASE installed now for quite some time. I set up a new Snort box 1.2.6 (christine) with BASE this week.

I have both connected to a hub off the switchport on my cisco router.

I'm confused by the results. BOTH zora and christine have the most recent rule sets for their respective versions.

However, I'm getting drastically different results!

On the old version (zora) I see a lot of ICMP.

On the new version (christine) I see just a small fraction of what zora sees. As a matter of fact, in a 3 hour time-span, christine sees 0 ICMP and zora is seeing 579.

Additionally, on zora, it sees activity of 16 port scans whereas christine sees 7....again, time span of 3 hours, both on the same hub off the switchport on my cisco router.

Why would I see such widely different results from two different versions? Doesn't seem right to me.

Thanks

Ted
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.