Snort mailing list archives
Re: SNORT has stopped alerting
From: "Farnsworth, Robert" <robert.farnsworth () hp com>
Date: Wed, 16 Jul 2014 18:53:26 +0000
I've tried to answer these the best I could. See Below. 1. Which output plugin are you using in your snort.conf (syslog, unified2, etc..)? # Additional configuration for specific types of installs output alert_unified2: filename snort.alert, limit 128, nostamp output log_unified2: filename snort.log, limit 128, nostamp # syslog output alert_syslog: LOG_AUTH LOG_ALERT 2. Where are you outputting the alerts (directory, database, barnyard2)? Directory - /var/log/snortlogs 3. What is the final destination of the alerts (database, binary, text)? Not sure about this sorry I am a novice to SNORT/UNIX, they are forwarded to an e-mail address. (Not sure if that is what you're asking. ) 4. How are you viewing the alert data (console, GUI)? Console 5. What are the rules/rules files included in snort.conf? # site specific rules include $RULE_PATH/local.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/blacklist.rules include $RULE_PATH/botnet-cnc.rules include $RULE_PATH/chat.rules include $RULE_PATH/community.rules include $RULE_PATH/content-replace.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/dos.rules include $RULE_PATH/exploit.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/icmp.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/imap.rules include $RULE_PATH/info.rules include $RULE_PATH/misc.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/mysql.rules include $RULE_PATH/netbios.rules include $RULE_PATH/nntp.rules include $RULE_PATH/oracle.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/p2p.rules include $RULE_PATH/phishing-spam.rules include $RULE_PATH/policy.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/scada.rules include $RULE_PATH/scan.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/smtp.rules include $RULE_PATH/snmp.rules include $RULE_PATH/specific-threats.rules include $RULE_PATH/spyware-put.rules include $RULE_PATH/sql.rules include $RULE_PATH/telnet.rules include $RULE_PATH/tftp.rules include $RULE_PATH/virus.rules include $RULE_PATH/voip.rules include $RULE_PATH/web-activex.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-php.rules include $RULE_PATH/x11.rules # decoder and preprocessor event rules include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules ################################################### # Step #9: Customize your Shared Object Snort Rules # For more information, see http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html ################################################### # dynamic library rules include $SO_RULE_PATH/bad-traffic.rules include $SO_RULE_PATH/chat.rules include $SO_RULE_PATH/dos.rules include $SO_RULE_PATH/exploit.rules include $SO_RULE_PATH/icmp.rules include $SO_RULE_PATH/imap.rules include $SO_RULE_PATH/misc.rules include $SO_RULE_PATH/multimedia.rules include $SO_RULE_PATH/netbios.rules include $SO_RULE_PATH/nntp.rules include $SO_RULE_PATH/p2p.rules include $SO_RULE_PATH/smtp.rules include $SO_RULE_PATH/sql.rules include $SO_RULE_PATH/web-activex.rules include $SO_RULE_PATH/web-client.rules include $SO_RULE_PATH/web-iis.rules include $SO_RULE_PATH/web-misc.rules From: Y M [mailto:snort () outlook com] Sent: Wednesday, July 16, 2014 2:39 PM To: Farnsworth, Robert Cc: snort-users Subject: RE: [Snort-users] SNORT has stopped alerting If more information is provided, you will get a better help: 1. Which output plugin are you using in your snort.conf (syslog, unified2, etc..)? 2. Where are you outputting the alerts (directory, database, barnyard2)? 3. What is the final destination of the alerts (database, binary, text)? 4. How are you viewing the alert data (console, GUI)? 5. What are the rules/rules files included in snort.conf? If this was double posted, I blame the browser! YM ________________________________ From: robert.farnsworth () hp com<mailto:robert.farnsworth () hp com> To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Date: Wed, 16 Jul 2014 17:45:26 +0000 Subject: [Snort-users] SNORT has stopped alerting I have stopped receiving ALERTs from snort, I have checked and yes it is running, any troubleshooting tips would be appreciated. ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SNORT has stopped alerting Farnsworth, Robert (Jul 16)
- Re: SNORT has stopped alerting Y M (Jul 16)
- Re: SNORT has stopped alerting Farnsworth, Robert (Jul 16)
- Re: SNORT has stopped alerting Joel Esler (jesler) (Jul 16)
- Re: SNORT has stopped alerting Y M (Jul 16)
- Re: SNORT has stopped alerting Farnsworth, Robert (Jul 16)
- Re: SNORT has stopped alerting Y M (Jul 16)
- Re: SNORT has stopped alerting Farnsworth, Robert (Jul 17)
- Re: SNORT has stopped alerting Y M (Jul 17)
- Re: SNORT has stopped alerting Farnsworth, Robert (Jul 17)
- Re: SNORT has stopped alerting Y M (Jul 17)
- Re: SNORT has stopped alerting Farnsworth, Robert (Jul 22)
- Re: SNORT has stopped alerting Jeremy Hoel (Jul 22)
- Re: SNORT has stopped alerting Farnsworth, Robert (Jul 16)
- Re: SNORT has stopped alerting Y M (Jul 16)