Snort mailing list archives
RE: Clueless in Toronto
From: "Rich Stryker" <rstryker () virtuallearning net>
Date: Thu, 19 Dec 2002 15:18:03 -0500
Joel, Thank you for your help. I have not as yet figured out why it dies while logging to binary but I did get some logs created by SNORT. Those files couldn't be read by neither SNORT, WINDUMP nor a text editor the errors kept saying it wasn't a real file or something. I have also played around with the snort.conf file. If only I had read it a bit more... I had reconfigured the unifed binary output which explains the weird logfile names. I put the snort.conf back to its normal settings and now I get the alert.ids file. I now have to figure out how SNORTSNARF works. :-) I would like to get the binary working soon but I guess I should learn to crawl before I walk. Do you or anyone else know why SNORTSNARF doesn't return any output in HTML format? I have the alert.ids file in the directory SNORTSNARF was told to look into, as per the installation instructions from Silicon Defense, and I also have over 20 subfolders, labelled with IP addresses, so why does SNORTSNARF not show me anything? Is it because the only traffic on the network is ICMP stuff like PING and TRACERT and basic NT authentication? Still Clueless but hopefully getting better.... Rich -----Original Message----- From: Joel Healy [mailto:Joel.Healy () amphenderson co nz] Sent: Thursday, December 19, 2002 2:38 PM To: Rich Stryker Subject: RE: [Snort-users] Clueless in Toronto Hi Rich... Can't think of any reasons of the top of my head why snort would die when reconfigured to output to a unified binary file, perhaps filesystem permissions of mis-configuration of a snort.conf parameter? To check your configuration try starting snort in self testing verbose mode (snort -T -c snort.conf) which may help. When it comes to running snort on windows i have never had much success installing it as a service, when i have it on W2K box i tend to run it as a forground app.. I tend to prefer running it on a *nix host as it gives me a bit more flexibilty in processing the output logs etc.. Also be aware that the unified binary output file can not be played back by snort, this output format requires a seperate utility like Barnyard or the such. Easy mistake to make though as the TCPDUMP (or pcap) output options are refered to as a binary log file, which can be played back by snort. cheers joel ------------------------------------------------------- This SF.NET email is sponsored by: Geek Gift Procrastinating? Get the perfect geek gift now! Before the Holidays pass you by. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Clueless in Toronto Rich Stryker (Dec 18)
- <Possible follow-ups>
- RE: Clueless in Toronto Rich Stryker (Dec 18)
- RE: Clueless in Toronto Rich Stryker (Dec 19)
- RE: Clueless in Toronto Rich Stryker (Dec 19)