Re: Re[4]: Snort problem.
From: Andrew Thompson (andy@sambolian.net.nz)
Date: 07/12/02
- Next message: dawnshade: "Re[6]: Snort problem."
- Previous message: dawnshade: "Re[2]: Snort problem."
- In reply to: dawnshade: "Re[4]: Snort problem."
- Next in thread: dawnshade: "Re[6]: Snort problem."
- Reply: dawnshade: "Re[6]: Snort problem."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 12 Jul 2002 23:10:55 +1200 From: Andrew Thompson <andy@sambolian.net.nz> To: dawnshade <h-k@mail.ru>
Hi,
Try running snort in the foreground, and without syslog, I use this:
/usr/local/bin/snort -i ep1 -A fast -c /usr/local/etc/snort.conf -m 027
This is the output that I recieve, note the line on the output where it says
"885 Snort rules read..."
Log directory = /var/log/snort
Initializing Network Interface ep1
WARNING: OpenPcap() device ep1 network lookup:
ep1: no IPv4 address assigned
--== Initializing Snort ==--
Decoding Ethernet on interface ep1
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /usr/local/etc/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
Reassembly method: FAVOR_OLD
Back Orifice detection brute force: DISABLED
Using LOCAL time
885 Snort rules read...
885 Option Chains linked into 107 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Rule application order: ->activation->dynamic->alert->pass->log
--== Initialization Complete ==--
-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
--Andy
Quoting dawnshade <h-k@mail.ru>:
> Hello Andrew,
>
> Friday, July 12, 2002, 1:13:04 PM, you wrote:
>
> AT> Have you got any snort rules loaded? it will say that it has loaded x
> number of
> AT> rules when it starts up. I have been caught out before when it has not
> logged
> AT> anything, and it turned out that no rules were loaded.
>
>
> AT> --Andy
>
>
> AT> Quoting dawnshade <h-k@mail.ru>:
>
> >> Hello faSty,
> >>
> >> Friday, July 12, 2002, 9:38:45 AM, you wrote:
> >>
> >> f> Did you check /var/log/messages because -s mean it goes directly
> syslogd
> >> send
> >> f> to /var/log/messages. Depend on what your syslogd.conf unless it is
> >> default
> >> f> syslogd.conf then check /var/log/messages.
> >>
> >> f> My snort on bridge look like:
> >> f> /usr/local/bin/snort -A full -D -e -d -s -i fxp1 -c
> >> /usr/local/etc/snort.conf
> >>
> >> f> -fasty
> >>
> >> f> On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote:
> >> >> I have a little problem:
> >> >> install, configure snort (1.8.6 (Build 105)).
> >> >> Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A
> full
> >> -d -D -l /usr/log/snort
> >> >>
> >> >> But the snort does nothing: not log or alert scans, portscans,
> >> >> etc....
> >> >>
> >> >> thank all for advance.
> >> >>
> >> >>
> >>
> >> in syslog.conf i added these lines:
> >>
> >> LOG_ALERT /usr/log/snort.log
> >> LOG_AUTHPRIV /usr/log/snort.log
> >>
> >> In messages only starting message snort:
> >>
> >> Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled
> >> Jul 12 09:44:01 mx snort: Initializing daemon mode
> >> Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/
> >> Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/"
> >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file
> alert
> >> plugin!
> >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file
> alert
> >> plugin!
> >> Jul 12 09:44:01 mx snort: limit == 128
> >> Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log
> >> Jul 12 09:44:02 mx snort[21582]: Snort initialization completed
> successfully,
> >> Snort running
> >>
>
>
> No, snorts "talks" only these line:
>
> >> Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled
> >> Jul 12 09:44:01 mx snort: Initializing daemon mode
> >> Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/
> >> Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/"
> >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file
> alert
> >> plugin!
> >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file
> alert
> >> plugin!
> >> Jul 12 09:44:01 mx snort: limit == 128
> >> Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log
> >> Jul 12 09:44:02 mx snort[21582]: Snort initialization completed
> successfully,
> >> Snort running
>
> --
> Best regards,
> dawnshade mailto:h-k@mail.ru
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
>
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: dawnshade: "Re[6]: Snort problem."
- Previous message: dawnshade: "Re[2]: Snort problem."
- In reply to: dawnshade: "Re[4]: Snort problem."
- Next in thread: dawnshade: "Re[6]: Snort problem."
- Reply: dawnshade: "Re[6]: Snort problem."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
