Re: snort not logging

[Rob Hughes <rob () robhughes com>]

On Sun, 2002-06-09 at 11:38, steve nutt wrote:
> Rob:
>
> Please give an example of the using "snort -c <your config path/file> ".
> Like this? "/usr/local/aris-sensor/snort -c
> /usr/local/aris-sensor/snort.conf". When I do this snort initializes but
> what should I see?

Yes, that's essentially it. The idea is to see if snort is seeing any
packets at all. This places snort in sniffer mode and is used as a
diagnostics tool.
 
> If I do a snort -vde I do get ARP request, so I am seeing some kind of
> traffic from the outside interface, but if I do the same thing on the fw box
> I see everything TCP UDP ICMP and ARP traffic flying bye. The ifconfig for
> the snort interface is not showing promiscuous mode only Up Running
> Multicast.  When I tail the messsages file when I start snort it says eth0:
> Promiscuous mode enabled but it does complain about OpenPcap( ) device eth0
> network lookup: ^Ieth0: no IPv4 address assigned. There seems to be a
> conflict.

What version of libpcap do you have? With snort running, the interface
should go into promiscuous mode. If it doesn't, the problem isn't snort,
but is somewhere with your pcap libraries. Since you say that eth0
promiscuous mode is being enabled, just verify that with a check of
ifconfig.

Then try running some traffic across the link to see if snort actually
picks up the packets. I believe the error about pcap is normal on an
interface with no address assigned under linux, but I'm not positive on
that. 
 
Failing that, do you have tcpdump on the box? Tcpdump opens the
interface and listens the same way snort does, so it may be useful to
see if one is seeing traffic but not the other.

Attachment: signature.asc
Description: This is a digitally signed message part