Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Configuration issue

From: "John Berkers" <berjo () ozemail com au>
Date: Sun, 23 Sep 2001 23:10:49 +1000
Coffee as payment would be excellent!! ;^)

Where exactly are you sending your output?  I didn't see any output plugins
configured.

John Berkers.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Erek Adams
Sent: Sunday, 23 September 2001 6:44
To: DJDave Sobel
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Configuration issue


On Sat, 22 Sep 2001, DJDave Sobel wrote:


Snort Users:

Need a little help... I believe I have everything configured
correctly... having built and installed snort 1.8.1, I have it running
and configured for my network.  My network is divided into three major
subnets, one with publically addressable IPs, and two private blocks.

Despite the fact that I'm seeing multiple CodeRed and Nimba attacks in
the web server logs, Snort does not seem to see them -- or certainly
doesn't report them.  I'm not using anything more than the standard
ruleset, so I'm not sure what I'm doing wrong.

I've included my snort.conf below, and I execute snort with this
command:

/usr/local/bin/snort -c /usr/local/snort/snort.conf -dD

I have removed the -dD and verified that snort does run, and with the
-dD I can see it in the process list.

Can anyone help?


[...snip...]

Maybe, if you pay us with coffee and beer.  ;-)

A couple of things:

        1)  grep -v # snort.conf |grep -v ^$    Gives you a nice clean cutdown
snort.conf.
        2)  Where is snort in your network?  Is it on a switch, 10/100
autosensing hub, plain vanilla hub?  Can it see _any_ traffic going to those
servers?

Check that snort can see those boxes by:  snort -dv host <webserver_IP>  and
then:
---
[erek@lurch]~>telnet route-server.cerf.net
Trying 134.24.38.246...
Connected to route-server.cerf.net.
Escape character is '^]'.

route-server>ping <webserver_ip>
Translating <webserver_ip> (192.102.249.3) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx.yyy.zzz.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/24 ms
route-server>quit
Connection closed by foreign host.
---

If you don't see the packets in the snort window, then something is amiss
with
the network setup/hardware, not with your snort.conf.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: