Snort mailing list archives
Re: No update in time window.
From: Cristian Kutscherauer <cristian.kutscherauer () fiu edu>
Date: Wed, 16 Jul 2003 12:54:57 -0400
Hi Erek, looks you are in the correct track. Running Snort with "-v" and without the Daemon option shows it snorting ok. However no new entries/alerts are being generated in /var/log/alert I forgot to mention, I'm newbie to Snort. How do I check the Acid Sensor and if Snort rules are in fact activated?
Tks a lot, Erek. _CK Erek Adams wrote:
On Tue, 15 Jul 2003, Cristian Kutscherauer wrote:Snort was running nicely but after a machine reboot it is no longer updating the alerts. The symptoms: - in Acid it reports correctly the "Queried on" field. The field "Time Window" is no longer updated (it got stuck in a specific date). - there are new alerts reported. The Environment: - Snort 2.0.0 (build 72) - Snort is listed in ps - Snorting on interface eth1.102 (with no IP). tcpdump -i eth1.102 shows traffic ok. - Snort start log says everything okay (except that eth1.102 has no IP).I don't think the issue is with snort. I think it's an ACID issue + db outut plugin. Check your config, make sure you're giving a sensor ID. Did you add or change a BPF filter? If so, that's your problem. the db plugin or ACID builds a sensor ID if there isn't one by using the machine name and any BPF filters that you have. If those change, then it changes the sensor ID. To make sure about the problem, run a second copy of Snort w/o the db output. Have it log to disk. If it does, then you know that Snort is working fine, and that the problem is in the config. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- No update in time window. Cristian Kutscherauer (Jul 15)
- Re: No update in time window. Erek Adams (Jul 15)
- Re: No update in time window. Cristian Kutscherauer (Jul 18)
- Re: No update in time window. Erek Adams (Jul 15)