Snort mailing list archives
Re: no IDS logs from snort
From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 11 Mar 2013 17:20:41 -0500
On 3/11/2013 12:52, Kevin Thomas wrote:
All, I think this problem is resolved now. I deleted all of my snort rules under /etc/snort/rules and then I changed my source from "Sourcefire VRT for registered users" to "EmergingThreats.net Community rules" and then pulled the updates for the new rules, selected the rules I wanted to use, and then stopped and restarted snort. Not long afterward, it began writing to the /var/log/snort/alert file and guardian could finally act on the alerts. Next on the agenda is to find out why the guardian process keeps dieing and restarting automatically every 20 minutes or so, releasing all the IP blocks when it restarts. Thanks to everyone who offered insight/suggestions.
interesting... however, i don't think it was the VRT rules at fault... i gotta wonder what version of guardian that is they are running on ipfire now... as for guardian restarting, i've seen that before when a monitoring tool was set to ensure that guardian was running but the wrong pid file was used... so the monitoring tool would not see the pid it was expecting (because guardian was using a differently named one) and it would stop guardian and restart it with the stopstart script every 20 minutes because that was how often the monitoring tool was set for... ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: no IDS logs from snort, (continued)
- Re: no IDS logs from snort James Lay (Mar 07)
- Re: no IDS logs from snort Kevin Thomas (Mar 11)
- Re: no IDS logs from snort Kevin Thomas (Mar 08)
- Re: no IDS logs from snort Ray Caparros (Mar 09)
- Re: no IDS logs from snort waldo kitty (Mar 09)
- Re: no IDS logs from snort Kevin Thomas (Mar 08)
- Re: no IDS logs from snort waldo kitty (Mar 11)
- Re: no IDS logs from snort waldo kitty (Mar 11)
- Re: no IDS logs from snort Kevin Thomas (Mar 11)
- Re: no IDS logs from snort Ray Caparros (Mar 11)
- Re: no IDS logs from snort Joel Esler (Mar 11)
- Re: no IDS logs from snort waldo kitty (Mar 11)