Snort mailing list archives
Re: Log questions
From: Phil <foo_bar_00 () yahoo com>
Date: Wed, 29 Aug 2001 00:06:31 -0700 (PDT)
--- Martin Roesch <roesch () sourcefire com> wrote:
Phil wrote: This is a pcap problem, not a snort problem. The BPF filtering subsystem is provided by libpcap and the issues that you're seeing are completely at that layer. I'd recommend contacting the tcpdump.org guys for that one.
aight...
[snip lots o' attacks]But not one of them was picked up by snort. I'm running snort with the following options:Did you have rules running that pick up the attacks you run? What tool were you running?
Aight. the details: I was running the attack.pl script from the snort.sourceforge.net website. The following are examples of 5 attacks that are A. in the .rules files (these three are all in the web-iis.rules file) which I have included in my snort.conf file. These five attacks were initiated against my machine via the attack scripts: CVE-1999-0449 WEB-IIS codebrowser SDK access WEB-IIS JET VBA access (/scripts/samples/ctguestb.idc) WEB-IIS del attempt WEB-IIS JET VBA access (/scripts/samples/details.idc) Nothing was detected by snort. In fact snort has not picked up a thing since I upgraded to 1.8.1
If you're having problems I'd suggest not running in daemon mode until you can be sure you aren't getting any command line error messages.
I've tried this. I get no errors, and it picks up tons of packets. I've included my config from my last post for reference:
/usr/local/bin/snort -A fast -i ppp0 -l /var/log/snortlogs -c /etc/snort/snort.c onf -D and I have all the default includes in snort.conf.Ihave HOME_NET set to $ppp0_ADDRESS andEXTERNAL_NET isset to !$HOME_NET I'm running snort Version 1.8.1-RELEASE (Build 74) Solaris 8 x86 MU5 (7/01)
Thanks, Phil __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Log questions Phil (Aug 06)
- RE: Log questions Jyri Hovila (Aug 06)
- Re: Log questions Martin Roesch (Aug 06)
- <Possible follow-ups>
- Re: Log questions Phil (Aug 18)
- Re: Log questions Martin Roesch (Aug 18)
- Re: Log questions Phil (Aug 29)
- Re: Log questions Martin Roesch (Aug 29)
- Re: Log questions Phil (Aug 29)
- Re: Log questions Martin Roesch (Aug 18)