Snort mailing list archives

Re: snort suddenly stopped to record events

From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 23 Jul 2013 12:12:25 -0400

On 7/23/2013 04:02, linux () vfemail net wrote:

Hi Waldo,

Thanks for help :-). Tried provided debug rules and snort is working and logging
events but only for UDP!!!

Seems that something is missconfigured in my snort.conf file or some existent
rules is blocking snort to log and alert. I am attaching here my snort.conf
file, maybe you can identify what is wrong or you have a suggestion.


everything posted looked ok... i don't see anything that jumps out in your 
snort.conf, either... you ran snort for just over 2 minutes (129.124889 seconds) 
and processed 310 packets... it is possible that there was no TCP packets during 
that time...

try this...

1. edit local-test.rules
2. comment out the two UDP rules
3. save and exit
4. edit snort.conf
5. enable local-test.rules
6. save and exit
7. restart snort

now generate some TCP traffic... browsing to a web site should work...

does that TCP traffic show up now?

don't forget to edit your snort.conf to disable local-test.rules when you finish 
running each set of tests... you really don't want snort to be grabbing 
everything... the logs can get monstrously huge ;)

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort suddenly stopped to record events linux (Jul 22)
- Re: snort suddenly stopped to record events waldo kitty (Jul 22)
  - Re: snort suddenly stopped to record events linux (Jul 23)
    - Re: snort suddenly stopped to record events waldo kitty (Jul 23)
    - Re: snort suddenly stopped to record events Alex (Jul 24)
    - Re: snort suddenly stopped to record events Peter Bates (Jul 24)
    - Re: snort suddenly stopped to record events waldo kitty (Jul 24)
    - Re: snort suddenly stopped to record events Alex (Jul 26)
    - Re: snort suddenly stopped to record events waldo kitty (Jul 26)
    - Re: snort suddenly stopped to record events Alex (Jul 29)