Snort mailing list archives

How to verify snort functionality

From: David Kingsly <davidkingsly () verizon net>
Date: Sun, 12 Apr 2009 11:54:36 -0400



I see snort running:
root@thunder:/etc/snort# ps aux |  grep snort
snort    14473  7.1  7.1 144468 110520 ?       Ss   18:52   0:05 snort
-c /etc/snort/snort.conf -u snort -g snort -D
root     30336  0.0  0.1   6464  2564 pts/0    S+   12:50   0:00 mysql
-u snort -p snort
root@thunder:/etc/snort# 

Now I want to verify that alerts are triggered, and sent to log
directory, and the database.  So I installed nmap on a different machine
connected to snort box through a hub, and I issued the command nmap
x.x.x.x ( ip of my snort machine ).  I do not see anything in my
database or the alerts directory located at /var/log/snort.    Is there
anywhere I forgot to look?  Something I need to disable?  ( I disabled
the linux firewall through firestarter ) 

mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| data             | 
| detail           | 
| encoding         | 
| event            | 
| icmphdr          | 
| iphdr            | 
| opt              | 
| reference        | 
| reference_system | 
| schema           | 
| sensor           | 
| sig_class        | 
| sig_reference    | 
| signature        | 
| tcphdr           | 
| udphdr           | 
+------------------+
16 rows in set (0.00 sec)

mysql> select * from data;
Empty set (0.00 sec)

mysql> 

*****************************

root@thunder:/var/log/snort# more alert 
root@thunder:/var/log/snort# ls
alert  snort.log.1239490353
root@thunder:/var/log/snort# more snort.log.1239490353 
root@thunder:/var/log/snort# 



------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Real noob question craig bowser (Apr 02)
- Re: Real noob question matt donovan (Apr 02)
- Re: Real noob question Greg Bowser (Apr 02)
- Re: Real noob question Joel Esler (Apr 02)
- Re: Real noob question JJ Cummings (Apr 02)
  - how to run snort from different linux directories David Kingsly (Apr 05)
    - How to verify snort functionality David Kingsly (Apr 12)
    - Re: How to verify snort functionality Joel Esler (Apr 12)
  - Message not available
    - Re: how to run snort from different linux directories Nathaniel Richmond (Apr 05)