Snort mailing list archives
Re: oh, come on
From: "Shawn Truax" <Shawn.Truax () mbs gov on ca>
Date: Fri, 26 Sep 2003 13:47:17 -0400
Assuming everything is working and installed properly. I would recommend checking two things. One run a tcpdump on the interface that Snort is running on to make sure that there is traffic for Snort to process. I have done this myself a couple of times when I have had multiple interfaces and set the wrong one by mistake. Two I would make sure you have snort rules turned on. Snort might be processing the data but there are no rules set for it to trigger on. Or there is just no traffic triggering the rules. Some days one of my sensors will go for hours without a rule trigger just because the traffic does not contain anything I am looking for. What I do is create a rule that triggers on all traffic (alert any any -> any any (msg:"Test Rule";sid:1234567;). Turn the rule on and let snort run. See if you are getting alerts and if you are turn the rule back off. Warning don't let this rule run for very long or unattended it will fill up your database and hard drive fast if you forget about it. If everything above turns out ok. Check your connection to the database. Off the top of my head I am not too sure where everything is located to do this. I believe RedHat puts error messages in the messages log file if there are problems check there. You can use the mysqladmin PING command to make sure the database is running. Oh and make sure you have set the output plug in properly for snort it should look something like this: output database: alert, mysql, user=[database_login] password=[database_password] dbname=[database_name] host=[ip_of_database_computer] port=3306 sensor_name=[insert_sensor_name_here] detail=full Hope this helps some or at least gets you started. Shawn
"Raymond Norton" <admin () lctn org> 09/24/03 02:27pm >>>
Being the novice I am with compiling and diagnosing errors I was really proud of myself when I followed the redhat 9.0 install docs and got everything working. httpd, mysql, and snort are all running without complaint. I pulled up the nice acid page and commenced to do a port scan, but snort does not respond to it. My page stays the same (0 hits). I looked over the faq to see what might be there, and verified that I have everything set right. I substituted "log" with "alert" in the snort.conf without any luck. Any idea what I should be looking at to diagnose the problem? Raymond ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- oh, come on Raymond Norton (Sep 24)
- Re: oh, come on Matt Kettler (Sep 24)
- Re: oh, come on Patrick Harper (Sep 27)
- <Possible follow-ups>
- Re: oh, come on Shawn Truax (Sep 26)