Snort mailing list archives

RE: Snort and acid prob!!! Acid not running :(

From: "Patrick S. Harper" <patrick () internetsecurityguru com>
Date: Wed, 14 Jul 2004 05:52:21 -0500

Where is the IDS placed?  Is it on a switch?  If it is, do you have the
sniffing interface on a span port?  Were any of the 471 packets something
that would trigger an alert?  Nope, because it says ALERTS: 0. 

Download Nessus (www.nessus.org) or CIS
(http://www.cerberus-infosec.co.uk/CIS-5.0.02.zip) and scan the interface on
the snort box you are sniffing on to test it first to see if you have a
problem with placement. I am betting you are on a switch and only seeing
broadcast traffic.

If you can see the ACID interface then it is running, snort is starting so
mysql is running, if you have your output line correct in your snort.conf
and your acid_conf.php database lines correct then it is just a matter of
your box not seeing any traffic.  Where exactly do you have this placed in
relation to your 50 PC's?

Hope this helps


Patrick S. Harper | CISSP RHCT MCSE
www.internetsecurityguru.com

www.ntsug.org - Snort Users Group

"If there is no light at the end of the tunnel, get down there and light the
damn thing yourself!"
 
-----Original Message-----
From: Aparna Mangla [mailto:aparna.mangla () gmail com] 
Sent: Wednesday, July 14, 2004 5:12 AM
To: Patrick S. Harper; nwoliver () internetsecurityguru com;
snort-users () lists sourceforge net
Subject: Snort and acid prob!!! Acid not running :(

hi
plz help me urgently.

I have installed snort-2.0.2 with acid 0.9.6b23 on redhat 9. I think i
followed all the steps correctly. and when i run :
snort -c /etc/snort/snort.conf
i get the following output at the end:


============================================================================
===
Snort analyzed 471 out of 471 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 29         (6.157%)          ALERTS: 0
    UDP: 208        (44.161%)         LOGGED: 0
   ICMP: 89         (18.896%)         PASSED: 0
    ARP: 90         (19.108%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 55         (11.677%)
DISCARD: 0          (0.000%)
============================================================================
===
Wireless Stats:
Breakdown by type:
    Management Packets: 0          (0.000%)
    Control Packets:    0          (0.000%)
    Data Packets:       0          (0.000%)
============================================================================
===
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
    Fragment Trackers: 0
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 0
  Frag2 memory faults: 0
============================================================================
===
TCP Stream Reassembly Stats:
        TCP Packets Used: 29         (6.157%)
         Stream Trackers: 9
          Stream flushes: 0
           Segments used: 0
   Stream4 Memory Faults: 0
============================================================================
===
database: Closing connection to database "snort"
Snort exiting

Now...when i start the httpd interface, i get 0 alerts, 0 sensors, 0 % UDP,
0% TCP.....as though it is inactive.
I am connected on LAN of 50 PCs.
Please tell me how to correct it.
Hoping for an urgent reply.
Thanking you
Aparna Mangla

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
 



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Snort and acid prob!!! Acid not running :( Patrick S. Harper (Jul 14)
- <Possible follow-ups>
- RE: Snort and acid prob!!! Acid not running :( Patrick S. Harper (Jul 14)
  - Message not available
    - Message not available
    - Re: Snort and acid prob!!! Acid not running :( patrick (Jul 14)
- Snort and acid prob!!! Acid not running :( Aparna Mangla (Jul 14)
  - RE: Snort and acid prob!!! Acid not running :( Patrick S. Harper (Jul 14)
- RE: Snort and acid prob!!! Acid not running :( Murray, Todd (Jul 14)