Snort mailing list archives
Re: snort suddenly stopped to record events
From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 24 Jul 2013 16:20:28 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 24/07/2013 15:00, Alex wrote:
Now, in snort.conf I have 2 lines defined for output: output unified2: filename merged.log, limit 128 and output alert_syslog: LOG_AUTH LOG_ALERT
Yes - there are 2 lines, so you have defined 2 different outputs. Are you trying to output to unified2 (the first line), or syslog, or both? I'd recommend sticking to unified2 only unless you only want to read alerts via syslog, and then I'd use the second line. Personally I'm writing to unified2 and then using BY2 to read from those files and output to syslog and a DB.
Now, I've started snort as daemon and tried to generate some traffic again, telneting another host from the same source (192.168.51.59) telnet 192.168.51.100 80! Unfortunatelly, this time tcpdump will show and record only arp request: [root@ids ~]# tcpdump -i eth4 -v host 192.168.51.59 tcpdump: WARNING: eth4: no IPv4 address assigned tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 96 bytes 16:20:41.672663 arp who-has 192.168.51.59 tell 192.168.51.100
If tcpdump is not seeing your traffic on eth4 then that's nothing to do with Snort! - -- Peter Bates Senior Information Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJR7/C8AAoJELhVoVpEMS6RlmkH/iR/3tbknhWYKgjijxtEwGim gc5jJRy//OoGkv7HEF1bwhOE5tMxTk6Odt3tFMCtXxd71XsxY4OkG/XWuzvR5tIt U88l3Qu8e7AVbWY2YgdqhPEhOC0GqfpOv6HkaOqVJbHsf+LGto3hbvCkzFlgTrO+ WhNhGFxmUZ7YHhUOcjhZxVFSFgiYD0FVkZpSW243MIe4ZdURscVDovo3nSU7g1tp zCXVAgCYQO3t7jf9l0IcjKCsoOFHrUoae1DiU3Ej+IB5r9+oULKl3fwCJOY2jZyy RJrhC2A8gKuJeg+UF7JlBzZY+CbCqU5LGXU0pIyEE8ev6xOKybdRrWkModuFHos= =GynR -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort suddenly stopped to record events linux (Jul 22)
- Re: snort suddenly stopped to record events waldo kitty (Jul 22)
- Re: snort suddenly stopped to record events linux (Jul 23)
- Re: snort suddenly stopped to record events waldo kitty (Jul 23)
- Re: snort suddenly stopped to record events Alex (Jul 24)
- Re: snort suddenly stopped to record events Peter Bates (Jul 24)
- Re: snort suddenly stopped to record events waldo kitty (Jul 24)
- Re: snort suddenly stopped to record events Alex (Jul 26)
- Re: snort suddenly stopped to record events waldo kitty (Jul 26)
- Re: snort suddenly stopped to record events Alex (Jul 29)
- Re: snort suddenly stopped to record events linux (Jul 23)
- Re: snort suddenly stopped to record events waldo kitty (Jul 22)