Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: no IDS logs from snort

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 11 Mar 2013 17:20:41 -0500
On 3/11/2013 12:52, Kevin Thomas wrote:

All, I think this problem is resolved now.  I deleted all of my snort rules
under /etc/snort/rules and then I changed my source from "Sourcefire VRT for
registered users" to "EmergingThreats.net Community rules" and then pulled the
updates for the new rules, selected the rules I wanted to use, and then stopped
and restarted snort. Not long afterward, it began writing to the
/var/log/snort/alert file and guardian could finally act on the alerts.  Next on
the agenda is to find out why the guardian process keeps dieing and restarting
automatically every 20 minutes or so, releasing all the IP blocks when it
restarts.  Thanks to everyone who offered insight/suggestions.


interesting... however, i don't think it was the VRT rules at fault...

i gotta wonder what version of guardian that is they are running on ipfire now...

as for guardian restarting, i've seen that before when a monitoring tool was set 
to ensure that guardian was running but the wrong pid file was used... so the 
monitoring tool would not see the pid it was expecting (because guardian was 
using a differently named one) and it would stop guardian and restart it with 
the stopstart script every 20 minutes because that was how often the monitoring 
tool was set for...




------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: