Snort mailing list archives
Re: snort error config option "detection" ...
From: Adam Szabo <adamx001 () gmail com>
Date: Sun, 25 Oct 2009 17:51:50 +0100
Yes, it sees the traffic, but the mysql database is empty. The tables are there but all empty. So after i exit snort, i see the summary that a lot of packets were captured, but 0 ALERTS, 0 LOGGED. Adam Szabo On Sun, Oct 25, 2009 at 2:45 PM, GBRUNN <Gregory.Brunn () compucom com> wrote:
Have you verified that snort is seeing traffic that would be my first step. Run snort as a packet sniffer # snort -dev. ------------------------------ *From:* Adam Szabo [mailto:adamx001 () gmail com] *Sent:* Sunday, October 25, 2009 9:08 AM *To:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] snort error config option "detection" ... Thank you all. My ubuntu was all messed up so i reinstalled the whole system and it works now. I successfully installed BASE and i see the web surface but there are 0 alerts. I'm behind a router, but there should be alerts on my local network also, am i right? Snort is running since half an hour. Adam Szabo On Sat, Oct 24, 2009 at 6:35 PM, Nigel Houghton <nhoughton () sourcefire com>wrote:On Sat, Oct 24, 2009 at 1:15 PM, Adam Szabo <adamx001 () gmail com> wrote:Detection: Search-Method = AC-BNFA-Q ERROR: /etc/snort/snort.conf(273) Config option "detection" can only be configured once. Adam Szabo On Sat, Oct 24, 2009 at 6:23 PM, Nigel Houghton <nhoughton () sourcefire com>wrote:On Sat, Oct 24, 2009 at 3:47 AM, Adam Szabo <adamx001 () gmail com>wrote:Still not working. The configuration is the default i downloaded from snort.com. I only changed the HOME_NET and EXTERNAL_NET variablesandthe rules path. Adam Szabo On Thu, Oct 22, 2009 at 10:43 PM, Russ Combs <rcombs () sourcefire com> wrote:You've got a typo on every line! (see below) With those fixes I can run either lines 1 and 3 or lines 2 and 3 through snort -T. If that doesn't fix it, send your conf. Russ On Thu, Oct 22, 2009 at 2:15 PM, Adam Szabo <adamx001 () gmail com>wrote:I have these: config detection: search-method lowmenlowmen -> lowmemconfig detection: search method ac-bnfa max_queue_events 5search method -> search-methodconfig event_queue: max_queue 8 log 3 order_events content_lenghtcontent_lenght -> content-lengthAdam Szabo On Thu, Oct 22, 2009 at 8:09 PM, Matt Olney <molney () sourcefire comwrote:Is it possible that you have multiple detection statements? grep detection snort.conf On Thu, Oct 22, 2009 at 1:58 PM, Adam Szabo <adamx001 () gmail com> wrote:Hi, I'm running Snort 2.8.5 on Ubuntu linux and i'm getting thiserrorwhen i start Snort (snort -c /etc/snort/snort.conf): "Detection: Search-Method = AC-BNFA-Q ERROR: /etc/snort/snort.conf(273) Config option "detection" can only be configured once." I did not change anything near line 273, so i don't know why is this happening. Can you help me? Thank you, Adam Szabo------------------------------------------------------------------------------Come build with us! The BlackBerry(R) Developer Conference inSF,CA is the only developer event you need to attend this year.Jumpstartyour developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------Come build with us! The BlackBerry(R) Developer Conference in SF,CAis the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to marketandstay ahead of the curve. Join us from November 9 - 12, 2009. Registernow!http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstartyourdeveloping skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersWhat exactly is the error you are getting now? -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/------------------------------------------------------------------------------Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market andstayahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersThen you aren't using the snort.conf from the tarball with only the edits you say you made. I get no such error with the standard snort.conf. I suggest you go back to step 1, copy the snort.conf to /etc/snort/snort.conf and try running snort with the -T option and probably with the -c option to make sure you are getting the right snort.conf. (you probably want to edit first to make sure your rule path is correct) -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort error config option "detection" ... Adam Szabo (Oct 22)
- Re: snort error config option "detection" ... Matt Olney (Oct 22)
- Re: snort error config option "detection" ... Adam Szabo (Oct 22)
- Re: snort error config option "detection" ... Russ Combs (Oct 22)
- Re: snort error config option "detection" ... Adam Szabo (Oct 24)
- Re: snort error config option "detection" ... Nigel Houghton (Oct 24)
- Re: snort error config option "detection" ... Adam Szabo (Oct 24)
- Re: snort error config option "detection" ... Nigel Houghton (Oct 24)
- Re: snort error config option "detection" ... Adam Szabo (Oct 25)
- Re: snort error config option "detection" ... Gregory.Brunn (Oct 25)
- Re: snort error config option "detection" ... Adam Szabo (Oct 25)
- Re: snort error config option "detection" ... Adam Szabo (Oct 25)
- Re: snort error config option "detection" ... Adam Szabo (Oct 22)
- Re: snort error config option "detection" ... Matt Olney (Oct 22)
- Re: snort error config option "detection" ... Adam Szabo (Oct 22)