Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Help with a config file please?]

From: snort () xiata com
Date: Fri, 4 Apr 2003 17:27:26 -0500 (EST)
Christopher,

Ok I changed the conf to only send the log data to mysql – I am trying to
stick to the config that silicondefense.com puts out on
http://www.silicondefense.com/support/windows/winsnortdocs/WinSnortIIS.pdf
After re-reading that doc I also made a couple of other changes but so far
no luck on detecting all the nmap stuff that I am sending. I am now able
to see portscans going to the IP address of the snort device but still
nothing comes up when I sweep on the other IPs that I need to monitor.
When I run snort –v –i2 I see all the traffic going through that system
(there is a lot of traffic so I can’t simply see the portscan taking
place). When I use windump and I narrow down the scope of it to only
packets w/ a source of the machine that I am using to run nmap I am able
to see those packets then so I know that the stuff is in fact getting to
the snort device.
I took a look @ the mysql and there is data there from the portscan that I
sent to the ip address of the snort so at least the logging part is
talking place in one way shape or form.

For what is worth I have 2 nics on this system one to access the ACID
console that only has TCP/IP bound & its firewalled (MS) and the second to
run the monitor and that one has no bindings whatsoever.
Any ideas at to where I screwed up this config a really welcomed.

Carlos



Either send Snort log data to MySQL or alert data to MySQL but not both

[0].



Q: Have you run Snort in its sniffer mode (e.g., snort -i1 -v) to see if

the

traffic from your scans and 'attacks' are even being seen by Snort?

Q: Have you looked directly into the MySQL database to see if the Snort

DB event table actually has any data in it?


I'm not an ACID popper ;) so I cannot help you much w/ why ACID does not

see

any alerts, but from previous posts to this list, I can safely say that

it's

often best to rollback your config to something simpler, say alerting to

a text file, while trying to diagnose Snort problems.


- Christopher

[0] - http://www.theadamsfamily.net/~erek/snort/logging_methods.txt






-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: