Snort mailing list archives
Alerts not Detected during Import?
From: "Dusty Hall" <halljer () auburn edu>
Date: Thu, 26 Jun 2003 10:58:50 -0500
We are experiencing a problem with Snort not reporting Alerts that we have in our rules files. Here's some background: We copy our Snort tcpdump logs from our sniffer to our MySQL/ACID system and then import the tcpdump logs into ACID/MySQL. From the looks of our alert files the Specific alerts were detected by our sniffer but not by Snort on our DB box. So what I'm trying to ask is, does the tcpdump log files from our sniffer box have all detected alerts in tcpdump format that were sniffed on the wire? Is there enough information from the tcpdump files from our sniffer to process again and pull out the same alerts? Here's the steps we use: (Yes we have identicial rules on both systems and both have the same version of Snort.) Sniffer: snort.conf output snip -> "output log_tcpdump: snort-log" /usr/local/bin/snort -c /usr/local/snort/etc/snort.conf -D -b -o -i eth1 -A fast ------- DB Import: snort.conf output snip -> "output database: alert, mysql, user=snort password=xxxxxxx dbname=snort host=localhost" /usr/local/bin/snort -N -dve -c /usr/local/snort/etc/snort.conf -l /usr/local/snort/logs -dr /usr/local/snort_logs/tcplogs/snort-logifle.log Note: After I run the import and look at the newly created "alert" file, it is much smaller than the "alert" file from our sniffer. Any help would be greatly appreciated. I'm open to new ways of doing this! Thanks, -Dusty ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerts not Detected during Import? Dusty Hall (Jun 26)
- Re: Alerts not Detected during Import? Erek Adams (Jun 26)
- <Possible follow-ups>
- Re: Alerts not Detected during Import? Dusty Hall (Jun 26)
- Re: Alerts not Detected during Import? Erek Adams (Jun 26)
- Re: Alerts not Detected during Import? Chris Green (Jun 26)