Snort mailing list archives
RE: Configuration issue
From: "John Berkers" <berjo () ozemail com au>
Date: Sun, 23 Sep 2001 23:10:49 +1000
Coffee as payment would be excellent!! ;^) Where exactly are you sending your output? I didn't see any output plugins configured. John Berkers. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Erek Adams Sent: Sunday, 23 September 2001 6:44 To: DJDave Sobel Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Configuration issue On Sat, 22 Sep 2001, DJDave Sobel wrote:
Snort Users: Need a little help... I believe I have everything configured correctly... having built and installed snort 1.8.1, I have it running and configured for my network. My network is divided into three major subnets, one with publically addressable IPs, and two private blocks. Despite the fact that I'm seeing multiple CodeRed and Nimba attacks in the web server logs, Snort does not seem to see them -- or certainly doesn't report them. I'm not using anything more than the standard ruleset, so I'm not sure what I'm doing wrong. I've included my snort.conf below, and I execute snort with this command: /usr/local/bin/snort -c /usr/local/snort/snort.conf -dD I have removed the -dD and verified that snort does run, and with the -dD I can see it in the process list. Can anyone help?
[...snip...] Maybe, if you pay us with coffee and beer. ;-) A couple of things: 1) grep -v # snort.conf |grep -v ^$ Gives you a nice clean cutdown snort.conf. 2) Where is snort in your network? Is it on a switch, 10/100 autosensing hub, plain vanilla hub? Can it see _any_ traffic going to those servers? Check that snort can see those boxes by: snort -dv host <webserver_IP> and then: --- [erek@lurch]~>telnet route-server.cerf.net Trying 134.24.38.246... Connected to route-server.cerf.net. Escape character is '^]'. route-server>ping <webserver_ip> Translating <webserver_ip> (192.102.249.3) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to xxx.yyy.zzz.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/24 ms route-server>quit Connection closed by foreign host. --- If you don't see the packets in the snort window, then something is amiss with the network setup/hardware, not with your snort.conf. Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Configuration issue, Part II, (continued)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- Re: Configuration issue, Part II Greg Sarsons (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II John Berkers (Sep 25)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)