Re: Nothing written to logfiles

[James Sinnamon <jaymz () bigpond net au>]

Dear snort users and developers,

Thanks for your help.  I have been able to reach first
base by adding the following rule: 

    alert tcp any any -> any any (msg:"ANY PROBE any attempt";)

... to /etc/snort/rules/experimental.rules, which is included in 
/etc/snort/snort.conf.  

Of course this causes a flood of messages 
and warnings, but at least I can see that Snort is responding to 
attempted and actual connections made to my firewall computer 
ports.  

Conversely, removing the above rule causes the flood of warnings  
to diminish to practically nothing.

I am still not sure why the nmap probes referred to earlier 
did not trigger any messages, but at least  I now have some
ability to test cause and effect.


Paul Schmehl wrote:
> What happens when you run snort from the commandline?  Do you see alerts
> scrolling across the screen like you do if you use tcpdump?

Haven't done it properly.  It's a bit tricky to recreate the environment
set up by '/etc/init.d/snort start'.  May do it later, if I need to again.

Paul Schmehl wrote:
> What happens when you scan it with nessus?

Too problematic to install nessus except on the Debian firewall 
computer itself.  There don't seem to be RPMs for my other 
(RedHat 9.0 Linux systems), so I let it go for now.
 
Paul Schmehl wrote:
> > greenhouse:/etc/init.d# ps auxwww | grep snort
> > snort   2030  0.9  3.6 36732 33164 ?     Rs   16:57   0:00
> > /usr/sbin/snort \  -m 027 -D -c /etc/snort/snort.conf -l /var/log/snort
> > -d -u snort -g snort \ -O -S HOME_NET=[192.168.0.0/24] -i eth0
>
> First of all, you've defined HOME_NET in your snort conf file.  

It comes from the Debian configuration program, I think.


Paul Schmehl wrote:
> No need to
> define it on the commandline, plus the way you've done it is meaningless
> and *should* be generating an error.  Have you looked in the messages file
> for errors when you try to start snort?

Yes, I spotted a message complaining of a syntax error in  the 
rule above (missing ':' from the above rule, my mistake.  Don't 
know what caused the problem earlier.)  '/etc/init.d/snort start' sent all 
output to /dev/null :

 /sbin/start-stop-daemon --start --quiet --pidfile "$PIDFILE" \
  --exec $DAEMON -- $COMMON $DEBIAN_SNORT_OPTIONS \
                        -S "HOME_NET=[$DEBIAN_SNORT_HOME_NET] \
                        -i $interface >/dev/null

... so I couldn't spot any messages top begin with.

Thanks again for your help and for your trouble.

regards,

James

-- 
James Sinnamon
jaymz at bigpond net auStralia
+61 412 319669, +61 2 95692123
http://www.australianvisions.com.au/Members/james


-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users