Snort mailing list archives
Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..."
From: Jun Wan <junwei_wan () hotmail com>
Date: Fri, 27 Aug 2010 10:32:07 +0000
Hi Billy, Thanks for help, I have solved the issue after I followed David's instructions, please see my another email. in the installation guide something seems to be missing, you may be right (as you said they may fail to report try: mysql -usnort -p -D snort -e "select count(*) from event"), otherwise it should work by following the guide. My best experience with Snort was "Ubundu 9.1 + Snort 2.8.4.1+BASE" from bil at work: https://wwwx.cs.unc.edu/~hays/archives/2010/03/entry_23.php , it just worked in my first installation, which made me fall in love with Snort then. Information would be useless if it is not organized, "Snort Report" and "BASE" organize network information in such a way which enable network engineers to see "things" clearly. Many thanks for you, David,Joel Esler and many other folks from this list, your guys made my "journey" much easier. Regards John ________________________________
Date: Thu, 26 Aug 2010 07:51:23 -0600 From: Billy.Marshall () state co us To: junwei_wan () hotmail com; snort-users () lists sourceforge net Subject: Re: [Snort-users] FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..." as far as the chown command, yes, it is a typo. However, file location is a matter of preference and where ever the config files live you need to match them with how snort/barnyard is invoked. This could be a startup script or within the .conf files themselves. On the note that they fail to report try: mysql -usnort -p -D snort -e "select count(*) from event"
run this a few times if the database grows then either barnyard or snort is logging. Verify which by either commenting out output unified2: filename , limit 128 --- from snort.conf for barnyard logging or output database: log, mysql, user=snort password=> password> dbname=snort host=localhost --- from snort.conf for snort logging Last you may look in your log files where the alerts are kept to see if they are proper ownership. I have noticed if I run snort as a different user it creates an alert.xxx file with different ownership and when I start it with snort it gets hosed because of permissions. e.g make sure all log files for snort alerts are: chown snort:snort
------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.8.6 & Snort Report 1.3.1 with "No Data..." Jun Wan (Aug 24)
- Snort 2.8.6 & Snort Report 1.3.1 with "No Data..." Jun Wan (Aug 24)
- <Possible follow-ups>
- FW: Snort 2.8.6 & Snort Report 1.3.1 with "No Data..." Greg Lane (Aug 25)
- Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "No Data..." Jun Wan (Aug 25)
- Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..." Billy Marshall (Aug 26)
- Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..." David Gullett (Aug 26)
- Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..." Jun Wan (Aug 26)
- Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..." Greg Lane (Aug 27)
- Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "No Data..." Jun Wan (Aug 25)
- Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..." Jun Wan (Aug 27)