Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort alert -stop working with snort.conf

From: twig les <twigles () yahoo com>
Date: Mon, 29 Jul 2002 09:32:43 -0700 (PDT)
Any security scanner like nessus or whisker (which
nessus uses).

--- Cearns Angela <acearns () yahoo com> wrote:

No, nothing is alerting. I don't know how to test a
lot of the rules. But I tried nmap, ping -l, and I'm
also testing the Stacheldraht attack, no alert. What
else can I try?

but -l without -c snort.conf works.

I've static ip for all my computers. 

Thanks,
Ang


--- John Sage <jsage () finchhaven com> wrote:

Angela:

On Sat, Jul 27, 2002 at 08:18:20PM -0700, Cearns
Angela wrote:

Hi I've 2 simple questions:

1. My snort alert was working fine for a while

and

stopped suddernly. It no longer logs port scan

file to

my portscan.log in /var/log/snort...nor does it

log

icmp large packets alert to my alert file in
/var/log/snort.
I'm using Red Hat Linux 7.3 2.4.18. and snort

1.8.6

So, *nothing* is alerting at all, or just not
portscans and icmp large
packets?

What sort of connectivity do you have?

hmm..
 
[toot@sparky /]# host 128.198.172.82
82.172.198.128.in-addr.arpa. domain name pointer
multimedia.cs.uccs.edu.

Do you have a new IP address assigned by DHCP

every

so often?



I checked the snort.conf file and the homenet

was

configure correct (same as what I use for the -h
option on command line).

When I run snort:
snort -dev -l /var/log/snort -h 192.168.0.2/16

-c

snort.conf

It didn't raise any error and it reads in all

the

rules.

When I run snort without the config file:
snort -dev -l /var/log/snort
- it accurately created the dest & source ip

directory

log the packets into those directories 

Any idea where I should look into the problem?

2. After getting the alert working, I'd like to

test

every single one of the rules in snort but I

don't

know the various type of intrusion very well. Is

there

any test case available that can help me get

start?

(e.g. run a nmap -sS....and the portscan alert

will be

raise; run a ping ... and a xx alert will be

rasie...)

Many of the snort rules look for symptoms of
specific exploits.

You can't test for these without running a given
exploit against your
system.

nmap will scan ports in various ways, but not test
all snort rules, by
any means.

I'm not aware of any method to actually test each
and every rule...


HTH..


- John
-- 
Why, yes, I talk to birds. I speak fluent finch.

PGP key     
http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0

8E

0C D0 BE C8 38 CC B5 



__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com




-------------------------------------------------------

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:


https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
All warfare is based on deception.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: