Snort mailing list archives

Previous By Date Next
Previous By Thread Next

1.8.1 not logging anything

From: Phil <foo_bar_00 () yahoo com>
Date: Thu, 23 Aug 2001 23:35:01 -0700 (PDT)
Hey all. I upgraded to 1.8.1 and now it's not logging
ANYTHING. I left it running in daemon mode with no
logs for a week. I tried running out of daemon mode
and got:

# /usr/local/bin/snort -A fast -i ppp0 -l
/var/log/snortl
ogs -c /etc/snort/snort.conf
Log directory = /var/log/snortlogs

        --== Initializing Snort ==--
Checking PID path...

Initializing Network Interface ppp0
Decoding Ethernet on interface ppp0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Scan alerts: ACTIVE
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time
908 Snort rules read...
908 Option Chains linked into 145 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order:
->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.1-RELEASE (Build 74)
By Martin Roesch (roesch () sourcefire com,
www.snort.org)


After a few minutes, closing snort looks like:
Breakdown by protocol:                Action Stats:
    TCP: 552        (99.639%)         ALERTS: 0
    UDP: 2          (0.361%)          LOGGED: 0

My config looks like:
 var HOME_NET $ppp0_ADDRESS
var EXTERNAL_NET !$HOME_NET
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET

and I have all includes except:
# include shellcode.rules
# include policy.rules
# include info.rules
# include icmp-info.rules
# include virus.rules

I'm running Solaris 8 x86 MU5, RP-PPPoE, IPFilter
3.4.20, Snort 1.8.1

Thanks all,
Phil



__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: