Snort mailing list archives

Re: Snort not generating alerts

From: Peter Bates <peter.bates () ucl ac uk>
Date: Tue, 10 Jul 2012 14:21:08 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 10/07/2012 14:09, Pratik Narang wrote:

Have you looked whether the unified2 file, 'snort.u2' in your 
configuration contains any alerts or data using u2spewfoo?

Yes the log files do contain data (alerts?- can't see any...)


What does something like this show:

u2spewfoo snort.u2.1341924701 |grep sig

You should see something along the lines of:


        sig id: 3000035 gen id: 1       revision: 1
classification: 33
        sig id: 2013068 gen id: 1       revision: 2
classification: 28
        sig id: 23250   gen id: 1       revision: 1
classification: 21

The actual signatures you're hitting on.

I tried this umpteen times... even re-installing Barnyard2... 
Barnyard2.waldo must be empty to begin with (right?) since I am
only creating the file. Then, why should it contain rubbish??


Barnyard should create the file initially - if I was testing and
having problems I would

a) stop snort
b) stop barnyard2
c) delete (or move) files out of your LOGDIR
d) start snort
e) start barnyard2

You could also run barnyard2 in the foreground with -v but I seem to
recall that doesn't show a great deal.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP/CxDAAoJELhVoVpEMS6RGbsH/j0Aw2asnc+LKFJpWH21WBe0
CJf63S58XpwvVD6QRX2vXX92O6Lx9njEPdBhqH5J4/oY9cKjHXbsRw5LI68F1aJv
FwgYjd/emsZdMSMctQTjTSUAj2yoIGxjXMh7OkyOoTFwXmg5cWjyOroo0E0ExsA0
6Q9wZ5xZP1D+kL0ghSOyKtxbFMVYh2dIv/90jlNZp79hsGkbPiPzFGkPTR1tSiX3
dyXV5BGepBIic6u/FxkKfGQdfXsxbQEZRSq240u1uefw6XoXHaSj5AreBicWzFPW
Y3jWDb3IOI7rQfX+UIelIybwHrW5blXEnAsSJQN98QbxRTuhO0RG5VuC8YlGN8w=
=pWxT
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort not generating alerts Pratik Narang (Jul 05)
- Re: Snort not generating alerts praveen_recker . (Jul 05)
  - Re: Snort not generating alerts Pratik Narang (Jul 05)
    - Re: Snort not generating alerts Pratik Narang (Jul 10)
    - Message not available
    - Re: Snort not generating alerts Pratik Narang (Jul 10)
    - Re: Snort not generating alerts Richmond, Ian (Jul 12)
- Re: Snort not generating alerts Pratik Narang (Jul 10)
  - Re: Snort not generating alerts Peter Bates (Jul 10)
    - Re: Snort not generating alerts Pratik Narang (Jul 10)
    - Re: Snort not generating alerts Peter Bates (Jul 10)
    - Re: Snort not generating alerts Pratik Narang (Jul 12)
    - Re: Snort not generating alerts Peter Bates (Jul 13)