Re: snort woes

[Jim Starke <jstarke () ptd net>]

Jed Pickel wrote:

> To determine of the rules are the issue -- test with a rule that you
> know will work.
>
>    alert tcp any any -> any any (msg:"TCP traffic";)

I added that rule to the virus.rules and it doesn't cause any additions 
to the mysql database.

Maybe this is a clue for someone, I removed the -p so that eth1 went 
into promiscius mode and it did log a few icmp packets to the database 
for a few of my neighbors. It appears that the ability for snort to log 
to mysql is working ok. It just did not add any tcp or udp traffic to 
the database and I browsed several websites just to check it out and my 
neighbors were quite busy either browsing or downloading something.

However, I watched several code red probes go right by it and they never 
got logged.

Since I had the icmp packets in the database, I went ahead and installed 
Acid and have it working now.

--
Quidquid latine dictum sit, altum viditur.
http://www.jcsmall.com/homepage


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users