Snort mailing list archives

Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..."

From: Jun Wan <junwei_wan () hotmail com>
Date: Fri, 27 Aug 2010 10:32:07 +0000


Hi Billy,
 
Thanks for help, I have solved the issue after I followed David's instructions, please see my another email.
 
in the installation guide something seems to be missing, you may be right (as you said they may fail to report try:
 mysql -usnort -p -D snort -e "select count(*) from event"), otherwise it should work by following the guide. 
 
My best experience with Snort was "Ubundu 9.1 + Snort 2.8.4.1+BASE" from bil at work: 
https://wwwx.cs.unc.edu/~hays/archives/2010/03/entry_23.php , it just worked in my first installation, which made me 
fall in love with Snort then.
 
Information would be useless if it is not organized, "Snort Report" and "BASE" organize network information in such a 
way which enable network engineers to see "things" clearly. 
 
Many thanks for you, David,Joel Esler and many other folks from this list, your guys made my "journey" much easier.
 
 
Regards
 
John


 

________________________________

Date: Thu, 26 Aug 2010 07:51:23 -0600
From: Billy.Marshall () state co us
To: junwei_wan () hotmail com; snort-users () lists sourceforge net
Subject: Re: [Snort-users] FW: Snort 2.8.6 & Snort Report 1.3.1 with
"NoData..."

as far as the chown command, yes, it is a typo.
However, file location is a matter of preference and where ever the
config files live you need to match them with how snort/barnyard is
invoked. This could be a startup script or within the .conf files
themselves.

On the note that they fail to report try:
mysql -usnort -p -D snort -e "select count(*) from
event"

run this a few times if the database grows then either barnyard or
snort is logging.
Verify which by either commenting out
output unified2: filename , limit 128 --- from
snort.conf for barnyard logging
or
output database: log, mysql, user=snort password=> password> dbname=snort host=localhost --- from snort.conf for snort
logging

Last you may look in your log files where the alerts are kept to see if
they are proper ownership. I have noticed if I run snort as a different
user it creates an alert.xxx file with different ownership and when I
start it with snort it gets hosed because of permissions. e.g make sure
all log files for snort alerts are:
chown snort:snort

------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort 2.8.6 & Snort Report 1.3.1 with "No Data..." Jun Wan (Aug 24)
- Snort 2.8.6 & Snort Report 1.3.1 with "No Data..." Jun Wan (Aug 24)
- <Possible follow-ups>
- FW: Snort 2.8.6 & Snort Report 1.3.1 with "No Data..." Greg Lane (Aug 25)
  - Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "No Data..." Jun Wan (Aug 25)
    - Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..." Billy Marshall (Aug 26)
    - Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..." David Gullett (Aug 26)
    - Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..." Jun Wan (Aug 26)
    - Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..." Greg Lane (Aug 27)
    - Re: FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..." Jun Wan (Aug 27)