Snort mailing list archives
Re: Lets talk about ....
From: Peter Bates <peter.bates () ucl ac uk>
Date: Mon, 8 Oct 2012 10:06:17 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 08/10/2012 00:42, AllowOverride wrote:
1. here is stdout after starting snort: see attached: anything wrong there? still not logging, after correcting
2. in console mode - i see ping traffic from remote host pinging snort server
Okay - as it has been a while since I used -A console to test, I can see that what this does is produce tcpdump/pcap output file as well as showing the alerts to the console as expected. The fact it isn't a u2 file explains the u2spewfoo error. In your snort.conf, put (use the existing lines) to shorten your command-line: config set_gid: snort config set_uid: snort config logdir: /var/log/snort output unified2: filename snort.log, limit 128 - - Your current snort.conf has output unified2: filename snort.log limit 128 - - the comma is significant. Start up snort with snort -c /etc/snort/snort.conf -i eth0 - - you can add -D later to daemonize it Snort should run and you will get - -rw------- 1 snort snort 0 Oct 8 09:52 snort.log.1349686338 in /var/log/snort. Generate some ICMP traffic, and you should see it logged - -rw------- 1 snort snort 1164 Oct 8 09:53 snort.log.1349686338 u2spewfoo snort.log.1349686338 |grep sig sig id: 10000001 gen id: 1 revision: 0 classification: 0 sig id: 10000001 gen id: 1 revision: 0 classification: 0 If that is working then it is time to look at barnyard2.
3. also flowbits? this is not running Inline, ill read more about that later, when i have 2nd nic.
I wouldn't worry about the flowbits.
4. -G -S are defined in barnyard2.conf. - see attached
I would define: output alert_fast: /var/log/snort/alert instead of what you've got if you need that output and output database: log, mysql, dbname=snort host=localhost user=snort password=hidden detail=full
5. Reputation config: WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled. what is the syntax in the snort.conf file... howtos are pissing me off.... I have: whitelist $WHITE_LIST_PATH/white_list.rules, \ blacklist $BLACK_LIST_PATH/black_list.rules
This is just a warning. As you have var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules Then if you put IP addresses in /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules The Reputation preproc will be enabled.
6. I found the problem i believe, snort.u2 vs snort.log defined in snort.conf.... good grief... made filename snort looks for as snort.log, there were no warnings in syslog nor snort stdout in console mode...
A wrong filename isn't really fatal so an error isn't entirely appropriate.
7. lastly, i dont have a 2nd nic. where would i define that, and if not defined, will it cause issues?
No. - -- Peter Bates Senior Information Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQcpeJAAoJELhVoVpEMS6RqnYIAK3wWdGaZSf4fwt0fWSLq8rS 002iECeJfp+Eq/S23AgIizO18iH0Kxm0slrUF3X8uQ1abp2SY0R6wsgocrwyw+Bx VbmWqLL3FUGFhSwr4gj07nRAbLsjfxUmvXVWQyUQSCPLdV5xJhQ4qChNNgbP+O97 cfh7JrQGfg8/Xvl//9Xma2VTshWsUiVD7xmJE+I6S/EoE4rOWGQsPP/0Nbp+WWDW 039giLXTawo1IdbDKcfKodExZ5r5SqNFNyVltYZHzKVeyqLlARZ3BoqVU4NmWzwd QJuHE6KDeZxwMOqDTbgd1utUdnF++nJpFsaUmvkiM+1mS2YTlFUAAchmishJWzI= =aUER -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Lets talk about .... PR (Oct 06)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 07)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 08)
- Re: Lets talk about .... Peter Bates (Oct 08)
- Re: Lets talk about .... AllowOverride (Oct 08)
- Re: Lets talk about .... Peter Bates (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... Jeremy Hoel (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Message not available
- Re: Lets talk about .... Peter Bates (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)