Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: newbie snort user on windows xp needs help please

From: Scott Weeks <surfer () mauislanwanman com>
Date: Wed, 26 Jun 2002 17:22:27 -1000 (HST)


On Wed, 26 Jun 2002, Michael Steele wrote:

: Scott,
:
: There are a multitude of new people visiting this list every day, or I
: would hope. The information, no matter how trivial will help someone. It
: will also help people to better understand Snort and what works and what
: doesn't work and hopefully that knowledge will better the Snort
: community.
:
: How I usually, and I'm sure most of the tech's that monitor this list
: deal with posting is; not only to reply back to the list but to CC the
: poster so he or she can get the required information the quickest
: possible way.



Hello list members,

Here's the gist of my problem...

I am finding documentation for windows lacking.  I'm using XP Home Edition
(unfortunately) and IDScenter 1.09 Beta 1.3.  (Beta.  Maybe that's my
problem?) on my home computer, so I can get used to using SNORT in
preparation for an interview I have coming up.  Just to get some traffic
generated I put in the following rules:

   log tcp any any <> any any (msg: "test";)
   alert tcp any any <> any any (msg: "test";)

These are in the "IDS rules" part of the GUI interface.  In the
"Logs/Alerts" section I left the path unchanged:

   C:\Program Files\IDS_systems\Sourcefire\log\alert.ids

In the "General Setup" window I click on "Create Script" and everything's
OK. For the IP I use the "Select" button and check with the "Command
Prompt" (DOS screen) using the ipconfig command, so I know it's the
correct one.  (My ISP uses DHCP)  I also used the "Test Configuration"
button for sanity's sake.  All is good.

When I click "Start Snort" a DOS window opens up and remains open.  I'm
assuming that the "alert" rule should cause things to show up in that
window and the "log" rule should cause the same entries to show up in the
"alert.ids" file and those should be able to be seen when clicking on the
"View Alerts" button.  However nothing shows up on the DOS screen nor does
anything show up in the "View Alerts" window when I put the path to the
file "C:\Program Files\IDS_systems\Sourcefire\log\alert.ids" in the
"Search alert log" box.

Thanks,
scott



-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: