Snort as NIDS -- what's wrong?

[Marek Kozlowski <kozlowsm () mini pw edu pl>]

:-)
I didn't use snort for some time (since 2.7 on Gentoo). I tried to make
it (up-to-date version) run on Arch. I'm wondering why I failed?

1. I installed it (ArchLinux: form official package with pacman).

2. I downloaded the most recent (for registered user) rules and uploaded
them to the /etc/snort/ directory

3. I made some changes in /etc/snort/snort.conf:
a) I changed the *RULE_PATH variables: they should begin with `.' rather
than `..'
b) I uncommented the `sfportscan' preprocessor
c) I commended out the `dynamicdetection' line (section 4.) --
non-existent on ArchLinux
d) I commented out the `reputation' preprocessor
e) I uncommented `output alert_syslog: LOG_AUTH LOG_ALERT' line.

4. I'm trying to run it as:
# snort -i eth0 -c /etc/snort/snort.conf -N
(optionally with `-A fast' and/or `-l somedir' and/or `-h 127.0.0.0/8'
and or `--process-all-events' and/or ...)

For all cases I tried to teardrop the host
(http://www.securityfocus.com/bid/124/exploit) scan ports with nmap etc
and I can see no alerts anywhere...
As I remember the last time I was using it (2.7 on Gentoo) it worked
perfectly... What am I doing wrong? Any help welcome...

Best regards
m.

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!