Snort mailing list archives

RE: Help with a config file please?

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Fri, 4 Apr 2003 11:47:24 -0500

I'm sure someone else already answered this, but here is my two cents:  

1)  You do not specify an alert facility in your snort.conf.  So unless you
have something that reads your MySQL database looking for new log events,
you'll never get an alert.  

2)  You have not enabled neither the portscan nor the portscan2
preprocessor.  My understanding (I could be wrong) is that without either of
these, Snort will not catch NMAP sweeps of your network.  

3)  As a FYI:  Port scans are logged to the alert facility not the log
facility in Snort.  So you're back to item #1.  

Cheers!  


-----Original Message-----
From: snort () xiata com [mailto:snort () xiata com]
Sent: Thursday, April 03, 2003 5:24 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Help with a config file please?


Can some one help me clean up this config? I mean I know that I must have
missed something but my snort IDS is not logging anything. I send it nmap
scans to see if it catches them and no dice. I log into my IIS Outlook Web
Access (one of the rules used to cry about that because of Calendar
something rather other). Still no alerts pop up. I assume that is my
configuration not being up to par. The IP addresses are obfuscated and so
is the username/pass for mysql. I have tried changing the path to the
rules from $Rule_path/rulefile.rule to c:\snort\rules\rulefile.rule to
c:\snort\rules/rulefile.rule to c:/snort/rules/rulefile.rule but I get
nothing whatsoever.

Here is the output of snort /services /show

C:\Snort\bin>snort /service /show
Snort is currently configured to run as a Windows service using the
following
command-line parameters:
     -c c:/snort/etc/snort.conf -l c:/snort/log -i2

and snort.conf is attached. For what is worth the 2nd adapter has no
bindings to it what so ever, but if I stop the snort service and run snort
with the command line "snort -v -i2" I do see things taking place. For
what is worth I am running snort 1.9.1

Thanks


Carlos

Current thread:

Help with a config file please? snort (Apr 03)
- <Possible follow-ups>
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
  - RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
  - RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
  - RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
  - RE: Help with a config file please? snort (Apr 08)