Snort mailing list archives
Re: snort alert -stop working with snort.conf
From: twig les <twigles () yahoo com>
Date: Mon, 29 Jul 2002 09:32:43 -0700 (PDT)
Any security scanner like nessus or whisker (which nessus uses). --- Cearns Angela <acearns () yahoo com> wrote:
No, nothing is alerting. I don't know how to test a lot of the rules. But I tried nmap, ping -l, and I'm also testing the Stacheldraht attack, no alert. What else can I try? but -l without -c snort.conf works. I've static ip for all my computers. Thanks, Ang --- John Sage <jsage () finchhaven com> wrote:Angela: On Sat, Jul 27, 2002 at 08:18:20PM -0700, Cearns Angela wrote:Hi I've 2 simple questions: 1. My snort alert was working fine for a whileandstopped suddernly. It no longer logs port scanfile tomy portscan.log in /var/log/snort...nor does itlogicmp large packets alert to my alert file in /var/log/snort. I'm using Red Hat Linux 7.3 2.4.18. and snort1.8.6 So, *nothing* is alerting at all, or just not portscans and icmp large packets? What sort of connectivity do you have? hmm.. [toot@sparky /]# host 128.198.172.82 82.172.198.128.in-addr.arpa. domain name pointer multimedia.cs.uccs.edu. Do you have a new IP address assigned by DHCPeveryso often?I checked the snort.conf file and the homenetwasconfigure correct (same as what I use for the -h option on command line). When I run snort: snort -dev -l /var/log/snort -h 192.168.0.2/16-csnort.conf It didn't raise any error and it reads in alltherules. When I run snort without the config file: snort -dev -l /var/log/snort - it accurately created the dest & source ipdirectorylog the packets into those directories Any idea where I should look into the problem? 2. After getting the alert working, I'd like totestevery single one of the rules in snort but Idon'tknow the various type of intrusion very well. Isthereany test case available that can help me getstart?(e.g. run a nmap -sS....and the portscan alertwill beraise; run a ping ... and a xx alert will berasie...) Many of the snort rules look for symptoms of specific exploits. You can't test for these without running a given exploit against your system. nmap will scan ports in various ways, but not test all snort rules, by any means. I'm not aware of any method to actually test each and every rule... HTH.. - John -- Why, yes, I talk to birds. I speak fluent finch. PGP key http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D08E0C D0 BE C8 38 CC B5__________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort alert -stop working with snort.conf Cearns Angela (Jul 27)
- Re: snort alert -stop working with snort.conf John Sage (Jul 28)
- Re: snort alert -stop working with snort.conf Cearns Angela (Jul 28)
- Re: snort alert -stop working with snort.conf twig les (Jul 29)
- Re: snort alert -stop working with snort.conf David Yip (Jul 29)
- snort-flood detection preprocessor Cearns Angela (Aug 02)
- Re: snort alert -stop working with snort.conf Cearns Angela (Jul 28)
- Re: snort alert -stop working with snort.conf John Sage (Jul 28)