Snort mailing list archives
Snort not generating any severity
From: Khanh Tran <ktran () ktran com>
Date: Thu, 18 Sep 2014 17:05:25 -0400 (EDT)
Hello, Successfully installed snort (v2.9.6.2) , barnyard2 (v2-1.13) and snorby (v2.6.2). For testing purposes, I added this rule to /etc/snort/snort.conf : alert icmp any any -> any any (msg:"ICMP Test2"; sid:10000001; rev:1;) With that signature, I verified snort generated events to unified2 files; and barnyard2 successfully parsed those files to write to mysql. Snorby then successfully displays records from mysql. I spanned external and internal firewall interfaces to snort, and verified that snort sees tons of traffic on its eth1 interface running in promiscuous mode. (See attached "Snorby Results.pdf") I ran snort for 24 hours. Unfortunately it did NOT report any alerts or severity! It continues to alert on my test ICMP rule but no other records/alerts/events were written. I even ran a port scan against our firewall, which was picked up by the firewall but not snort. What am I doing wrong?? (I've attached my snort.conf) Thanks in advance for the help! KT
Attachment:
snort.conf
Description:
Attachment:
Snorby Results.pdf
Description:
Attachment:
Snort Results.txt
Description:
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort with pf_ring -- recommendations for DAQ settings Risto Vaarandi (Sep 18)
- Re: Snort with pf_ring -- recommendations for DAQ settings Eugenio Perez (Sep 24)
- Snort not generating any severity Khanh Tran (Sep 25)
- Re: Snort not generating any severity waldo kitty (Sep 25)