Snort mailing list archives
Re: Snort as NIDS -- what's wrong?
From: Bob Aiello <bob.aiello () ieee org>
Date: Sun, 22 Apr 2012 13:40:36 -0400
Hi Marek, did you uncomment the alerts in the rules file? Another odd problem that I have seen is changing the ../rules to a specific path like /etc/snort/rules seems to work better You can debug this easily by using the -T -c /etc/snort/snort.config which simply parses your config file and tells if there are any parsing errors (snorts seems to be silent about these issues unless you use the -T which requires the -c) I am a newbee to snort so please feel free to correct me if I am wrong about these points. Bob http://www.linkedin.com/in/BobAiello On 4/22/2012 4:17 AM, Marek Kozlowski wrote:
:-) I didn't use snort for some time (since 2.7 on Gentoo). I tried to make it (up-to-date version) run on Arch. I'm wondering why I failed? 1. I installed it (ArchLinux: form official package with pacman). 2. I downloaded the most recent (for registered user) rules and uploaded them to the /etc/snort/ directory 3. I made some changes in /etc/snort/snort.conf: a) I changed the *RULE_PATH variables: they should begin with `.' rather than `..' b) I uncommented the `sfportscan' preprocessor c) I commended out the `dynamicdetection' line (section 4.) -- non-existent on ArchLinux d) I commented out the `reputation' preprocessor e) I uncommented `output alert_syslog: LOG_AUTH LOG_ALERT' line. 4. I'm trying to run it as: # snort -i eth0 -c /etc/snort/snort.conf -N (optionally with `-A fast' and/or `-l somedir' and/or `-h 127.0.0.0/8' and or `--process-all-events' and/or ...) For all cases I tried to teardrop the host (http://www.securityfocus.com/bid/124/exploit) scan ports with nmap etc and I can see no alerts anywhere... As I remember the last time I was using it (2.7 on Gentoo) it worked perfectly... What am I doing wrong? Any help welcome... Best regards m. ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort as NIDS -- what's wrong? Marek Kozlowski (Apr 22)
- Re: Snort as NIDS -- what's wrong? Bob Aiello (Apr 22)
- Re: Snort as NIDS -- what's wrong? Marek Kozlowski (Apr 22)
- Re: Snort as NIDS -- what's wrong? Bob Aiello (Apr 22)