Re: Re[2]: Snort problem.

From: Andrew Thompson (andy@sambolian.net.nz)
Date: 07/12/02 

Date: Fri, 12 Jul 2002 21:13:04 +1200
From: Andrew Thompson <andy@sambolian.net.nz>
To: dawnshade <h-k@mail.ru>

Have you got any snort rules loaded? it will say that it has loaded x number of
rules when it starts up. I have been caught out before when it has not logged
anything, and it turned out that no rules were loaded.

--Andy

Quoting dawnshade <h-k@mail.ru>:

> Hello faSty,
>
> Friday, July 12, 2002, 9:38:45 AM, you wrote:
>
> f> Did you check /var/log/messages because -s mean it goes directly syslogd
> send
> f> to /var/log/messages. Depend on what your syslogd.conf unless it is
> default
> f> syslogd.conf then check /var/log/messages.
>
> f> My snort on bridge look like:
> f> /usr/local/bin/snort -A full -D -e -d -s -i fxp1 -c
> /usr/local/etc/snort.conf
>
> f> -fasty
>
> f> On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote:
> >> I have a little problem:
> >> install, configure snort (1.8.6 (Build 105)).
> >> Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A full
> -d -D -l /usr/log/snort
> >>
> >> But the snort does nothing: not log or alert scans, portscans,
> >> etc....
> >>
> >> thank all for advance.
> >>
> >>
>
> in syslog.conf i added these lines:
>
> LOG_ALERT /usr/log/snort.log
> LOG_AUTHPRIV /usr/log/snort.log
>
> In messages only starting message snort:
>
> Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled
> Jul 12 09:44:01 mx snort: Initializing daemon mode
> Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/
> Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/"
> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert
> plugin!
> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert
> plugin!
> Jul 12 09:44:01 mx snort: limit == 128
> Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log
> Jul 12 09:44:02 mx snort[21582]: Snort initialization completed successfully,
> Snort running
>
> --
> Best regards,
> dawnshade mailto:h-k@mail.ru
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
>

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Re[4]: Snort problem.
    ... Try running snort in the foreground, and without syslog, I use this: ... Initializing Preprocessors! ... >>> plugin! ...
    (FreeBSD-Security)
  • RE: Firewall Tester 0.6
    ... > Now I mean no disrespect but frankly while I may accept the ... > to say us that the poor snort won't ever be cool as RealSecure (very ... Snort has a wonderful plugin for real-time decryption of BackOrifice ...
    (Focus-IDS)
  • Re: Snort problem.
    ... I am assuming we are not talking about a switched network here. ... run it in tcpdump mode, and see that it really is collecting ... :> AT> Have you got any snort rules loaded? ... :>>> plugin! ...
    (FreeBSD-Security)
  • Re[4]: Snort problem.
    ... AT> Have you got any snort rules loaded? ... >> plugin! ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: Blackice vs Snort
    ... BlackIce can block traffic it detects to be "evil" - IIRC there was a ... plugin in development for Snort that did this as well, ...
    (comp.security.firewalls)
Quantcast