Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Empty alert file, but big snort log and event database

From: Alain Tésio <alain () onesite org>
Date: Wed, 13 Jun 2001 14:00:49 -0500
Hi,

Here is the content from /var/log/snort :

20:05:45 root /var/log/snort #ls -l
total 1592
-rw-------    1 snort    snort         988 May 26 16:44 0526 () 1624-snort log
-rw-------    1 root     root           24 May 26 19:38 0526 () 1938-snort log
-rw-------    1 root     root           24 May 26 19:39 0526 () 1939-snort log
-rw-------    1 root     root           24 Jun  1 20:03 0601 () 2003-snort log
-rw-------    1 root     root          268 Jun  1 20:07 0601 () 2005-snort log
-rw-------    1 root     root           24 Jun  1 20:08 0601 () 2008-snort log
-rw-------    1 root     root           24 Jun  1 20:11 0601 () 2011-snort log
-rw-------    1 root     root          268 Jun  1 20:28 0601 () 2027-snort log
-rw-------    1 root     root      1587939 Jun 13 19:35 0609 () 0109-snort log
-rw-------    1 snort    snort           0 May 26 16:23 alert
-rw-------    1 snort    snort           0 May 26 16:23 portscan.log
-rw-------    1 snort    snort          24 May 26 16:24 snort-0526 () 1623 log

Snort is now running as root :
20:05:47 root /var/log/snort #ps -eaf | grep snort
root     29893     1  0 Jun09 ?        00:00:32 snort -c /etc/snort/snort.conf -D

Why is there nothing in the file alert ?

I'm using the default configuration for snort 1.6 installed from source on
Linux Debian 2.2

The number of rows for each table in the mysql database is :

data 13911 
detail 2 
encoding 3 
event 13935 
icmphdr 13906 
iphdr 13935 
opt 96 
sensor 1 
tcphdr 24 
udphdr 5 

The kind of events are :

mysql> select distinct signature from event ;
+--------------------------------------------------------------------------+
| signature                                                                |
+--------------------------------------------------------------------------+
| ICMP Destination Unreachable (Communication Administratively Prohibited) |
| ICMP Destination Unreachable (Host Unreachable)                          |
| ICMP Destination Unreachable (Port Unreachable)                          |
| ICMP Echo Reply                                                          |
| ICMP Echo Request                                                        |
| ICMP Echo Request BSDtype                                                |
| ICMP Echo Request Windows                                                |
| ICMP Time-To-Live Exceeded in Transit                                    |
| ICMP traceroute                                                          |
| MISC source port 53 to <1024                                             |
| RPC portmap request rstatd                                               |
| SCAN Proxy attempt                                                       |
+--------------------------------------------------------------------------+
13 rows in set (0.54 sec)

I didn't find an answer in the manuals to this question : how can I get
some more informations from this data ?

Thanks,
Alain




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: