Snort mailing list archives
Re: snort woes
From: Jim Starke <jstarke () ptd net>
Date: Sat, 11 Aug 2001 18:21:16 -0400
Jed Pickel wrote:
To determine of the rules are the issue -- test with a rule that you know will work. alert tcp any any -> any any (msg:"TCP traffic";)
I added that rule to the virus.rules and it doesn't cause any additions to the mysql database.
Maybe this is a clue for someone, I removed the -p so that eth1 went into promiscius mode and it did log a few icmp packets to the database for a few of my neighbors. It appears that the ability for snort to log to mysql is working ok. It just did not add any tcp or udp traffic to the database and I browsed several websites just to check it out and my neighbors were quite busy either browsing or downloading something.
However, I watched several code red probes go right by it and they never got logged.
Since I had the icmp packets in the database, I went ahead and installed Acid and have it working now.
-- Quidquid latine dictum sit, altum viditur. http://www.jcsmall.com/homepage _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort woes Jim Starke (Aug 10)
- Re: snort woes Phil Wood (Aug 10)
- Re: snort woes Jim Starke (Aug 11)
- Re: snort woes J. C. Woods (Aug 11)
- Re: snort woes Jed Pickel (Aug 11)
- Re: snort woes Jim Starke (Aug 11)
- Re: snort woes Jim Starke (Aug 11)
- Re: snort woes Phil Wood (Aug 10)
- Re: snort woes (update) Jim Starke (Aug 11)
- RE: snort woes (update) John Berkers (Aug 11)
- Re: snort woes (update) Jim Starke (Aug 11)
- RE: snort woes (update) John Berkers (Aug 11)
- RE: snort woes (update) John Berkers (Aug 11)