Snort mailing list archives
Re: Snort not generating alerts
From: Pratik Narang <pratik.cse.bits () gmail com>
Date: Fri, 13 Jul 2012 11:51:12 +0530
On Tue, Jul 10, 2012 at 6:51 PM, Peter Bates <peter.bates () ucl ac uk> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 10/07/2012 14:09, Pratik Narang wrote:Have you looked whether the unified2 file, 'snort.u2' in your configuration contains any alerts or data using u2spewfoo?Yes the log files do contain data (alerts?- can't see any...)What does something like this show: u2spewfoo snort.u2.1341924701 |grep sig You should see something along the lines of: sig id: 3000035 gen id: 1 revision: 1 classification: 33 sig id: 2013068 gen id: 1 revision: 2 classification: 28 sig id: 23250 gen id: 1 revision: 1 classification: 21 The actual signatures you're hitting on. Yes, the Snort log file does contain the actual signatures. Running Snort
with *-A console* also does display the same.
I tried this umpteen times... even re-installing Barnyard2... Barnyard2.waldo must be empty to begin with (right?) since I am only creating the file. Then, why should it contain rubbish??Barnyard should create the file initially - if I was testing and having problems I would a) stop snort b) stop barnyard2 c) delete (or move) files out of your LOGDIR d) start snort e) start barnyard2 I am not very clear what you mean. I did this, exactly as per the
guide available on snort.org --> sudo tar zxvf barnyard2-1.9.tar.gz cd barnyard2-1.9 sudo ./configure --with-mysql sudo make sudo make install sudo cp etc/barnyard2.conf /usr/local/snort/etc sudo mkdir /var/log/barnyard2 sudo chmod 666 /var/log/barnyard2 sudo touch /var/log/snort/barnyard2.waldo sudo chown snort.snort /var/log/snort/barnyard2.waldo (so, as per the guide, i am creating the waldo file) And some changes in barnyard2.conf file- config reference_file: /usr/local/snort/etc/reference.config config classification_file: /usr/local/snort/etc/classification.config config gen_file: /usr/local/snort/etc/gen-msg.map config sid_file: /usr/local/snort/etc/sid-msg.map config hostname: localhost config interface: eth1 output database: log, mysql, user=snort password=MYPASSWORD dbname=snort host=localhost And as far as the (a) to (e) steps are concerned, yes i have tried that....but stuck with the corrupt/truncated waldo file warning...
You could also run barnyard2 in the foreground with -v but I seem to recall that doesn't show a great deal. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT Thanks,
-Pratik
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP/CxDAAoJELhVoVpEMS6RGbsH/j0Aw2asnc+LKFJpWH21WBe0 CJf63S58XpwvVD6QRX2vXX92O6Lx9njEPdBhqH5J4/oY9cKjHXbsRw5LI68F1aJv FwgYjd/emsZdMSMctQTjTSUAj2yoIGxjXMh7OkyOoTFwXmg5cWjyOroo0E0ExsA0 6Q9wZ5xZP1D+kL0ghSOyKtxbFMVYh2dIv/90jlNZp79hsGkbPiPzFGkPTR1tSiX3 dyXV5BGepBIic6u/FxkKfGQdfXsxbQEZRSq240u1uefw6XoXHaSj5AreBicWzFPW Y3jWDb3IOI7rQfX+UIelIybwHrW5blXEnAsSJQN98QbxRTuhO0RG5VuC8YlGN8w= =pWxT -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort not generating alerts Pratik Narang (Jul 05)
- Re: Snort not generating alerts praveen_recker . (Jul 05)
- Re: Snort not generating alerts Pratik Narang (Jul 05)
- Re: Snort not generating alerts Pratik Narang (Jul 10)
- Message not available
- Re: Snort not generating alerts Pratik Narang (Jul 10)
- Re: Snort not generating alerts Richmond, Ian (Jul 12)
- Re: Snort not generating alerts Pratik Narang (Jul 05)
- Re: Snort not generating alerts praveen_recker . (Jul 05)
- Re: Snort not generating alerts Peter Bates (Jul 10)
- Re: Snort not generating alerts Pratik Narang (Jul 10)
- Re: Snort not generating alerts Peter Bates (Jul 10)
- Re: Snort not generating alerts Pratik Narang (Jul 12)
- Re: Snort not generating alerts Peter Bates (Jul 13)