Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Clueless in Toronto

From: "Rich Stryker" <rstryker () virtuallearning net>
Date: Thu, 19 Dec 2002 15:18:03 -0500
Joel,

        Thank you for your help. I have not as yet figured out why it dies while logging to binary but I did get some 
logs created by SNORT. Those files couldn't be read by neither SNORT, WINDUMP nor a text editor the errors kept saying 
it wasn't a real file or something.

        I have also played around with the snort.conf file. If only I had read it a bit more... I had reconfigured the 
unifed binary output which explains the weird logfile names. I put the snort.conf back to its normal settings and now I 
get the alert.ids file. I now have to figure out how SNORTSNARF works. :-)

        I would like to get the binary working soon but I guess I should learn to crawl before I walk. Do you or anyone 
else know why SNORTSNARF doesn't return any output in HTML format? I have the alert.ids file in the directory 
SNORTSNARF was told to look into, as per the installation instructions from Silicon Defense, and I also have over 20 
subfolders, labelled with IP addresses, so why does SNORTSNARF not show me anything?

        Is it because the only traffic on the network is ICMP stuff like PING and TRACERT and basic NT authentication?

Still Clueless but hopefully getting better....

Rich

-----Original Message-----
From: Joel Healy [mailto:Joel.Healy () amphenderson co nz]
Sent: Thursday, December 19, 2002 2:38 PM
To: Rich Stryker
Subject: RE: [Snort-users] Clueless in Toronto


Hi Rich...

Can't think of any reasons of the top of my head why snort would die when
reconfigured to output to a unified binary file, perhaps filesystem
permissions of mis-configuration of a snort.conf parameter? To check your
configuration try starting snort in self testing verbose mode (snort -T -c
snort.conf) which may help.

When it comes to running snort on windows i have never had much success
installing it as a service, when i have it on W2K box i tend to run it as a
forground app..  I tend to prefer running it on a *nix host as it gives me a
bit more flexibilty in processing the output logs etc..

Also be aware that the unified binary output file can not be played back by
snort, this output format requires a seperate utility like Barnyard or the
such.  Easy mistake to make though as the TCPDUMP (or pcap) output options
are refered to as a binary log file, which can be played back by snort.

cheers

joel


-------------------------------------------------------
This SF.NET email is sponsored by: Geek Gift Procrastinating?
Get the perfect geek gift now!  Before the Holidays pass you by.
T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: