Snort mailing list archives
Re: snort not catching any packets
From: "Michael Steele" <michaels () winsnort com>
Date: Fri, 26 Apr 2013 12:04:34 -0400
This could pose a massive problem enabling all those rules. You might want to take a look at PulledPork for your rule processing. Best regards, Michael... WINSNORT.com Management Team Member -- ****************** Established ~ 2001 ******************* * Visit Us @ <http://www.winsnort.com/> http://www.winsnort.com * * ~~ FREE WinIDS Snort installation guides ~~ * * ~~ FREE support forums ~~ * * Snort: Open Source Network IDS - <http://www.snort.org/> http://www.snort.org * ********************************************************* From: Robert W [mailto:rwawrig () yahoo com] Sent: Friday, April 26, 2013 10:47 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort not catching any packets I've found the issue, if anyone is wondering why snort is not capturing anything even when are no errors and all looks ok. The rules which I've downloaded from snort.org have most of the alerts commented within the rule files. After I've enabled all the alerts from scan.rules, my scans started to get logged by snort. cheers Robert _____ From: Robert W <rwawrig () yahoo com <mailto:rwawrig () yahoo com> > To: "snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> " <snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> > Sent: Friday, April 26, 2013 10:31 AM Subject: [Snort-users] snort not catching any packets Hi, I'm new to snort, so probably I'm missing something obvious.. I'm running snort with output unified2 and barnyard2 which is saving to mysql, and snorby as front-end. Snort is not catching anything with only the rules enabled (snort.conf -> Step #7: Customize your rule set). The "merged.log" unified2 file stays at 0 bytes. If I enable decoder and preprocessor event rules (#Step 8) then it starts catching events, but are coming up as Snort Alert [xxx:y:z]. The alerts are not mapped to names. Also barnyard is giving this message: [Event: 1] with [gid: 120] [sid: 3] [rev: 1] [classification: 2] [priority: 3] was not found in barnyard2 signature cache, this could lead to display inconsistency. To prevent this warning, make sure that your sid-msg.map and gen-msg.map file are up to date with the snort process logging to the spool file. I've checked again and again all the conf files and the variables, all point to the correct sid-msg.map and gen-msg.map. Any idea what may be wrong? Thanks Robert ---------------------------------------------------------------------------- -- Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort not catching any packets Robert W (Apr 26)
- Re: snort not catching any packets Robert W (Apr 26)
- Re: snort not catching any packets Michael Steele (Apr 26)
- Re: snort not catching any packets Robert W (Apr 26)