Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: oh, come on

From: "Shawn Truax" <Shawn.Truax () mbs gov on ca>
Date: Fri, 26 Sep 2003 13:47:17 -0400
Assuming everything is working and installed properly.  I would recommend checking two things.  One run a tcpdump on 
the interface that Snort is running on to make sure that there is traffic for Snort to process.  I have done this 
myself a couple of times when I have had multiple interfaces and set the wrong one by mistake.  

Two I would make sure you have snort rules turned on.  Snort might be processing the data but there are no rules set 
for it to trigger on.  Or there is just no traffic triggering the rules.  Some days one of my sensors will go for hours 
without a rule trigger just because the traffic does not contain anything I am looking for.  What I do is create a rule 
that triggers on all traffic  (alert any any -> any any (msg:"Test Rule";sid:1234567;).  Turn the rule on and let snort 
run.  See if you are getting alerts and if you are turn the rule back off.  Warning don't let this rule run for very 
long or unattended it will fill up your database and hard drive fast if you forget about it.

If everything above turns out ok.  Check your connection to the database.  Off the top of my head I am not too sure 
where everything is located to do this.  I believe RedHat puts error messages in the messages log file if there are 
problems check there.   You can use the mysqladmin PING command to make sure the database is running.

Oh and make sure you have set the output plug in properly for snort it should look something like this:

output database: alert, mysql, user=[database_login] password=[database_password] dbname=[database_name] 
host=[ip_of_database_computer] port=3306 sensor_name=[insert_sensor_name_here] detail=full

Hope this helps some or at least gets you started.

Shawn



"Raymond Norton" <admin () lctn org> 09/24/03 02:27pm >>>

Being the novice I am with compiling and diagnosing errors I was really
proud of myself when I followed the redhat 9.0 install docs and got
everything working. httpd, mysql, and snort are all running without
complaint. I pulled up the nice acid page and commenced to do a port scan,
but snort does not respond to it. My page stays the same (0 hits). I looked
over the faq to see what might be there, and verified that I have everything
set right. I substituted "log" with "alert" in the snort.conf without any
luck.

Any idea what I should be looking at to diagnose the problem?

Raymond




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: