Snort mailing list archives
Re: New snort install ipvar issue
From: John Gay <john.gay () sourcefire com>
Date: Fri, 24 Dec 2010 15:44:51 -0500
It does not look like the sfportscan preprocessor is turned on. Try adding that. Also you could try a real simple rule.... or even verify that you are seeing traffic by running snort with a -v John On Dec 24, 2010 3:37 PM, "James Lay" <jlay () slave-tothe-box net> wrote:
Here we go: root 31407 1 0 11:58 ? 00:00:12 /opt/bin/snort -i ppp0 -D -c /opt/etc/snort/snort.conf I've also tried what I had before, which was eth1...I was getting alerts
with
older snort version: Dec 24 08:46:30 gateway snort[1779]: [122:20:0] (portscan) UDP Distributed Portscan [Priority: 3] {PROTO:255} 66.150.8.4 -> externalIP But no longer. Complete configline is: ./configure --prefix=/opt --with-dnet-includes=/opt/include --with-dnet-libraries=/opt/lib --with-daq-includes=/opt/lib --with-daq-libraries=/opt/lib --enable-ipv6 --enable-zlib Really strange. Thank you. James From: John Gay <john.gay () sourcefire com> Date: Fri, 24 Dec 2010 15:16:16 -0500 To: James Lay <jlay () slave-tothe-box net> Cc: Snort <snort-users () lists sourceforge net> Subject: Re: [Snort-users] New snort install ipvar issue What command are you using to start snort? Can you show the results of ps -ef | grep snort On Dec 24, 2010 2:40 PM, "James Lay" <jlay () slave-tothe-box net> wrote:Thanks JohnÅ not running IPv6, but ehÅ whatever works. Now it seems I've muffed something as I get no alerts whatsoever even after doing an nmap
on
it. I did have 2.9.0.0 running fine on this, but now it seems nothing causes an alert. Anyone have any hints on why this would fire any alerts? I even am testing ping outbound and inbound and nothing. Config below:SNIP What command are you using to start snort? What output are you using? Can you show the results of ps -ef | grep snort John
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New snort install ipvar issue James Lay (Dec 24)
- Re: New snort install ipvar issue John Gay (Dec 24)
- Re: New snort install ipvar issue James Lay (Dec 24)
- Re: New snort install ipvar issue John Gay (Dec 24)
- Re: New snort install ipvar issue James Lay (Dec 24)
- Re: New snort install ipvar issue John Gay (Dec 24)
- Re: New snort install ipvar issue James Lay (Dec 24)
- Re: New snort install ipvar issue James Lay (Dec 24)
- Re: New snort install ipvar issue John Gay (Dec 24)