Snort mailing list archives

Previous By Date Next
Previous By Thread Next

How to test if snort is properly functioning?

From: Joost Ringoot <joost.ringoot () meteo be>
Date: Thu, 14 Mar 2019 09:35:21 +0100 (CET)
Hello, 

I have just set up snort and let it run with this command: 

snort -i ens224 -A fast -c /etc/snort/snort.conf 

It is running with this as last lines: 
Preprocessor Object: SF_GTP Version 1.1 <Build 1> 
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> 
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> 
Preprocessor Object: SF_DNS Version 1.1 <Build 4> 
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> 
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> 
Commencing packet processing (pid=31593) 


ens224 is a secondary network interface which is not configured with IP address, I think that is ok and preferred? 


But nothing gets logged 

I tried a couple nmaps to get something logged: 

eg: 
nmap -sP 192.168.15.0/24 

even on the machine itself 

BTW: 192.168.15.0/24 is the subnet that is on the primary interface configured, it is the same physical LAN as the 
secondary interface that I use for snort. 

I would expect that snort would log something about the portscan, but nothing. 

There are daily alert files in 
/var/log/snort 

but they are empty 


Are my expectations wrong? 
What should I do for instance to get a portscan logged by snort? 




(BTW: pulled pork is installed and 
./pulledpork/pulledpork.pl -c /etc/pulledpork/pulledpork.conf 

ends with 
Done 
Please review /var/log/sid_changes.log for additional details 
Fly Piggy Fly! 
) 



Thanks in advance, 





KMI - IRM 
Joost RINGOOT 
System Administrator 
Koninklijk Meteorologisch Instituut 
Institut Royal Météorologique 
Ringlaan 3 Avenue Circulaire 
1180 Brussel | Bruxelles 
+32 (0)2 373 06 75 
after office hours: 
+32 (0)2 373 06 83 
www.meteo.be 


Pensez à l'environnement, n'imprimez ce mail que si nécessaire 
Denk aan het milieu, print deze mail niet af tenzij echt nodig 


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: