Snort mailing list archives

RE: Help with a config file please?

From: snort () xiata com
Date: Fri, 4 Apr 2003 15:48:38 -0500 (EST)

Christopher,

Thanks for the info. I went ahead and changed those things (added Alert to
the list and enables portscan and portscan2 but I am still seeing no
alerts come up. I have all logging going to the same mysql db, and I use
adodb & ACID to run the reports.
I send nmap scans from one of my linux boxes w/ the following parameters

nmap sS O P0 v 1.2.3.4

nmap gets all the ports that the system has open just fine and it finger
prints the OS perfectly (Win XP Pro RC1 or later) but the system Acid
console shows nothing still. I used www.auditmypc.com to run a similar
scan and no alerts show, ditto w/ grc.com.

now just as info I have 2 lines in the conf file for the logging one that
sends log to mysql and another that sends alert to the same mysql db. Is
that permissible or do I have to stick to a single line?

Carlos

I'm sure someone else already answered this, but here is my two cents:

1)  You do not specify an alert facility in your snort.conf.  So unless
you
have something that reads your MySQL database looking for new log events,
you'll never get an alert.

2)  You have not enabled neither the portscan nor the portscan2
preprocessor.  My understanding (I could be wrong) is that without either
of
these, Snort will not catch NMAP sweeps of your network.

3)  As a FYI:  Port scans are logged to the alert facility not the log
facility in Snort.  So you're back to item #1.

Cheers!



-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Help with a config file please? snort (Apr 03)
- <Possible follow-ups>
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
  - RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
  - RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
  - RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
  - RE: Help with a config file please? snort (Apr 08)