Snort mailing list archives
Re: Snort not generating alerts
From: rmkml <rmkml () yahoo fr>
Date: Wed, 30 Oct 2013 21:37:01 +0100 (CET)
Hi Matt and James, Could you try starting snort with disabling chksum please ? (-k none) Could you describe more your configuration please ?What is your network architecture please ? (ids/sniffing mode ? ips/inline mode ? vmware like ? what os ? iptables ?...)
Regards @Rmkml On Wed, 30 Oct 2013, James Lay wrote:
On 2013-10-22 16:11, Matt . wrote:Im ramping up on Linux and Snort, so not highly familiar with them yet. That said Ive installed Snort and Snort Report onto Ubuntu 12.04 via the instructions at the following URL and fixed the errrors that prevented snort and barnyward2 from running. http://www.symmetrixtech.com/articles/016-snortinstallguide2953.pdf [1] At this point I am not able to determine why its not generating alerts, the log files and are empty. If I add the following lines uncommented out to the bottom of snort.conf, data is put into the log files and database. But once I comment out the lines nothing is generated. #alert ip any any -> any any (msg:"Got an IP Packet"; classtype:not-suspicious; sid:2000000; rev:1;) #alert icmp any any -> any any (msg:"Got an ICMP Packet"; classtype:not-suspicious; sid:2000001; rev:1;) #alert icmp any any -> any any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:2000499; rev:4;) Ive searched online and am stumped. Any assistance, pointers, recommendations would be much appreciated. Thanks, MattLet it run for a day, then see what happens. In this case I suspect no news is really that...nothing hitting (yet ;)).James
------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort not generating alerts Matt . (Oct 23)
- Re: Snort not generating alerts James Dickenson (Oct 24)
- <Possible follow-ups>
- Snort not generating alerts Matt . (Oct 30)
- Re: Snort not generating alerts James Lay (Oct 30)
- Re: Snort not generating alerts rmkml (Oct 30)
- Re: Snort not generating alerts James Lay (Oct 30)