Snort mailing list archives
RE: Snort re-setup issues
From: Greg Webster <greg () intouch ca>
Date: Thu, 29 Apr 2004 16:46:49 -0700
Thanks, but we got it solved. It ended up being a problem with the switch and not having the server on the right vlan to listen to the traffic properly :) Cheers, Greg On Tue, 2004-04-27 at 17:32, Truax, Shawn (MBS) wrote:
Hi Greg, Can you put a copy of your snort.conf up to look at. As well try running a tcpdump on your interface (eth0) to see if traffic is being captured. It seems from your email here you are not sure if snort is actually seeing traffic. Shawn Truax Security Specialist Corporate Security 155 University Ave. Toronto, Ontario M5H 3B7 (416)327-1107 -----Original Message----- From: Greg Webster [mailto:greg () intouch ca] Sent: April 27, 2004 5:53 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort re-setup issues Heya, Maybe I just need to bounce this off someone for a sanity check...advice would be great. Our old SNORT box completely died, so I was unable to get the config file from there to make this easy. The real problem now is that it's not logging anything coming in. /var/log/snort/alert is empty. Here's some quick facts to hopefully narrow down the solution: - Snort box IP address: 192.168.42.51 on eth0 - eth0 is set to promiscuous mode - Snort is listening to 64.69.xxx.xxx/27 - The log files are created and appropriate permissions are given (/var/log/snort) - I've tried to change Snort to listen to 192.168.42.0/24, and portscanning from another box in that network, but Snort didn't log it. - The box is behind two switches... I haven't seen a solution in my searching...any thoughts on where to go next? Thanks, Greg ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort re-setup issues Greg Webster (Apr 27)
- <Possible follow-ups>
- RE: Snort re-setup issues Truax, Shawn (MBS) (Apr 27)
- RE: Snort re-setup issues Greg Webster (Apr 29)