Snort mailing list archives

Re: snort not logging alerts

From: SN ORT <snort_on_acid () yahoo com>
Date: Mon, 28 Jun 2004 09:24:33 -0700 (PDT)

What is the IP of the server you scanned with Nessus?
And when you scanned, you could see it on eth1 running
tcpdump?

Cheese!

Marc

Message: 1
From: Nicholas Bernstein <nick () docmagic com>
To: snort-users <snort-users () lists sourceforge net>
Date: Sun, 27 Jun 2004 05:45:20 -0700
Subject: [Snort-users] snort not logging alerts

As I'm sure you can see from the timestamp on this
email, the current
time is 5:33am PDT, here, while I'm writing this.
I've given up my
friday night, my saturday day and now all the way up
to sunday morning
on this. If you're wondering if I'm trying to make
you feel bad enough
to give me a hand, the answer is yes. :)=20

Anyway, I hope this makes sense, as my eyes are
starting to close of
their own free will.=20

I'm trying to setup a simple snort -> mysql -> acid
setup, which is
pretty common, and which I've done numerous times.
Unfortunately, in
this instance, it seems as if snort does not believe
anything is an
alert. I've tested to make sure it's capturing
packets (it is) and -T
seems to think everything is fine. Yet, still, when
I run a full nessus
scan against the host, NOTHING gets added to the db.
When I run it from
command line, the action stats are ALERTS: 0,
Logged: 0, Passed: 0.=20

I'm running on suse 9.1, w/ a 2.6.4-52 kernel, w/
snort compiled from
source. This is using the same exact setup I did on
FreeBSD two days
ago, and on RedHat, and earlier versions of suse as
well.=20

below is the output of snort -T and below that my
snort.conf

Any help would be very, very appreciated. I'd like
to not have to go out
and get another harddrive so I can install FreeBSD
set it up on that.=20

nick@hemingway:~> sudo snort -T -c
/etc/snort/snort.conf -i eth1
Running in IDS mode
Log directory =3D /var/log/snort

<snip>


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort not logging alerts Nicholas Bernstein (Jun 27)
- Re: snort not logging alerts Xantius (Jun 27)
- Re: snort not logging alerts Martin Roesch (Jun 29)
- Re: snort not logging alerts Martin Roesch (Jun 29)
- <Possible follow-ups>
- Re: snort not logging alerts SN ORT (Jun 28)