Snort mailing list archives
Re: snort alert -stop working with snort.conf
From: John Sage <jsage () finchhaven com>
Date: Sun, 28 Jul 2002 07:50:24 -0700
Angela: On Sat, Jul 27, 2002 at 08:18:20PM -0700, Cearns Angela wrote:
Hi I've 2 simple questions: 1. My snort alert was working fine for a while and stopped suddernly. It no longer logs port scan file to my portscan.log in /var/log/snort...nor does it log icmp large packets alert to my alert file in /var/log/snort. I'm using Red Hat Linux 7.3 2.4.18. and snort 1.8.6
So, *nothing* is alerting at all, or just not portscans and icmp large packets? What sort of connectivity do you have? hmm.. [toot@sparky /]# host 128.198.172.82 82.172.198.128.in-addr.arpa. domain name pointer multimedia.cs.uccs.edu. Do you have a new IP address assigned by DHCP every so often?
I checked the snort.conf file and the homenet was configure correct (same as what I use for the -h option on command line). When I run snort: snort -dev -l /var/log/snort -h 192.168.0.2/16 -c snort.conf It didn't raise any error and it reads in all the rules. When I run snort without the config file: snort -dev -l /var/log/snort - it accurately created the dest & source ip directory log the packets into those directories Any idea where I should look into the problem? 2. After getting the alert working, I'd like to test every single one of the rules in snort but I don't know the various type of intrusion very well. Is there any test case available that can help me get start? (e.g. run a nmap -sS....and the portscan alert will be raise; run a ping ... and a xx alert will be rasie...)
Many of the snort rules look for symptoms of specific exploits. You can't test for these without running a given exploit against your system. nmap will scan ports in various ways, but not test all snort rules, by any means. I'm not aware of any method to actually test each and every rule... HTH.. - John -- Why, yes, I talk to birds. I speak fluent finch. PGP key http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort alert -stop working with snort.conf Cearns Angela (Jul 27)
- Re: snort alert -stop working with snort.conf John Sage (Jul 28)
- Re: snort alert -stop working with snort.conf Cearns Angela (Jul 28)
- Re: snort alert -stop working with snort.conf twig les (Jul 29)
- Re: snort alert -stop working with snort.conf David Yip (Jul 29)
- snort-flood detection preprocessor Cearns Angela (Aug 02)
- Re: snort alert -stop working with snort.conf Cearns Angela (Jul 28)
- Re: snort alert -stop working with snort.conf John Sage (Jul 28)