Snort mailing list archives
no IDS logs from snort
From: Kevin Thomas <axel2078 () gmail com>
Date: Wed, 06 Mar 2013 23:21:04 -0600
I'm not too familiar with how snort works, so please go easy on me. Here's the situation: I recently switched from Smoothwall Express as my home firewall to IPfire. Why? I really just wanted to try something newer and different. When I was running Smoothwall on the same exact hardware, snort worked great and there were always entries in the IDS logs. I installed IPfire on the same machine in mid February and NOTHING has been logged by snort since it was installed. The IDS logs are always blank. I have verified that snort is running and I have downloaded rule sets from VRT. I already asked about this in the IPfire forums, but since IPfire is German based, there weren't too many responses to my English question, but here were some of the mostly apathetic responses I got about my concern: Snort is buggy. Why do you want to use it? You don't have enough RAM. (since when is 2GB not enough to run snort....it ran fine on Smoothwall!) You don't have enough rules selected. You have too many rules selected. You have the wrong rules selected. Snort only logs the big stuff. Only a few people besides myself seem to be concerned that snort doesn't seem to be logging properly. One person even installed wireshark on his IPfire system and had his IP port scanned and he found that wireshark found and logged all of it and while the firewall blocked it just fine, snort only logged about 2% of the attacks. He recently just switched to Smoothwall per my recommendation and he is amazed at how well snort works (after some tweaking) and how much it's logging. I'd like to stay with IPfire because of it's built-in feature set, but I really want to get snort logging properly. What do I need to provide to you guys to help troubleshoot? I'm not even sure what version of snort this is. If I run snort in test mode, it reports it as Version 2.9.4 GRE (Build 40) but the version listed at the top of the snort.conf file is 2.9.1.1. Any help you guys could provide would be most appreciated. Thanks. Kevin ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- no IDS logs from snort Kevin Thomas (Mar 06)
- Re: no IDS logs from snort James Lay (Mar 07)
- Re: no IDS logs from snort Kevin Thomas (Mar 11)
- Re: no IDS logs from snort Kevin Thomas (Mar 08)
- Re: no IDS logs from snort Ray Caparros (Mar 09)
- Re: no IDS logs from snort waldo kitty (Mar 09)
- Re: no IDS logs from snort Kevin Thomas (Mar 08)
- Re: no IDS logs from snort waldo kitty (Mar 11)
- Re: no IDS logs from snort waldo kitty (Mar 11)
- Re: no IDS logs from snort Kevin Thomas (Mar 11)
- Re: no IDS logs from snort Ray Caparros (Mar 11)
- Re: no IDS logs from snort Joel Esler (Mar 11)