Snort mailing list archives

RE: Snort ain't logging anything...

From: "Mam Ruoc" <mamruoc () hotmail com>
Date: Thu, 06 Feb 2003 23:33:47 +0100

Hi!

Yes, I do get ALOT of out when running i verbose mode, I got a friend whoaccessed my ftp (I'm using proftpd) today, suddently Snort got triggered andlogged 117 Alerts saying:


(spp_fnord) Possible Mutated IA32 NOP Sled detected.

I installed ACID succesfully, so logging seems to be good now, but why don'tsnort detes my portscans or sneeze, the prog that's suppose to test snort'srulesets???

Regards.

----Original Message Follows----
From: "L. Christopher Luther" <CLuther () Xybernaut com>
To: 'Mam Ruoc' <mamruoc () hotmail com>
CC: "Snort-Users (E-mail)" <snort-users () lists sourceforge net>
Subject: RE: Snort ain't logging anything...
Date: Thu, 6 Feb 2003 12:42:39 -0500

Try running snort in sniffer mode (e.g., snort -v -i eth0).  In sniffer
mode, snort should display to the console all packets that it sees.  If
you're getting data, then let the list know and we can proceed on to the
next test.

- Christopher

-----Original Message-----
From: "Mam Ruoc" <mamruoc () hotmail com>
To: snort-users () lists sourceforge net
Date: Thu, 06 Feb 2003 11:54:55 +0100
Subject: [Snort-users] Snort ain't logging anything...

Greetings snort-experts

First off all, I'm a newbie, please be patient with me....

I got some problem after upgrading to Snort 1.9.0. I've been configuring
snort.conf a dozen times, I've set Iptables to accept everything (droppped
using IPTables), 'cause I thought packets might been filtered before Snort.
Nothing helped...

Then I found that my eth0 wasn't in promiscuous mode, so I'd manually add it

to startup... Somebody said that's the problem, 'cause Snort couldn't
retrieve data without the NIC beeing in promiscuous mode (is that right)That

didn't help either...

Can somebody please tell what I can do to detect what's wrong?? I've used
programs like nmap and sneeze (which tests rulesets by sending bogus
packets), the only thing I've got back is: 'snort: (spp_arpspoof)
Ethernet/ARP Mismatch request for Destination' in my syslog.

My system is:

Snort version 1.9.0 (Build 209) (supporting mysql)

_________________________________________________________________
MSN Messenger http://www.msn.no/messenger - Den korteste veien mellom deg og

dine venner

_________________________________________________________________

MSN Messenger http://www.msn.no/messenger - Den korteste veien mellom deg ogdine venner




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort ain't logging anything... Mam Ruoc (Feb 06)
- <Possible follow-ups>
- RE: Snort ain't logging anything... L. Christopher Luther (Feb 06)
- RE: Snort ain't logging anything... Mam Ruoc (Feb 06)
  - RE: RE: Snort ain't logging anything... Michael Steele (Feb 06)