Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New snort install ipvar issue

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 24 Dec 2010 14:04:57 -0700
Thanks John....as I looked I realized my snort.conf was missing
something..............an output plugin line 8-|  I'm glad I get a day off
tomorrow...my brain is obviously mush.  I see a BUNCH of goodies in my logs
now...thanks again.

James


From:  John Gay <john.gay () sourcefire com>
Date:  Fri, 24 Dec 2010 15:44:51 -0500
To:  James Lay <jlay () slave-tothe-box net>
Cc:  Snort <snort-users () lists sourceforge net>
Subject:  Re: [Snort-users] New snort install ipvar issue


It does not look like the sfportscan preprocessor is turned on.  Try adding
that. Also you could try a real simple rule....  or even verify that you are
seeing traffic by running snort with a -v

John

On Dec 24, 2010 3:37 PM, "James Lay" <jlay () slave-tothe-box net> wrote:

Here we go:

root     31407     1  0 11:58 ?        00:00:12 /opt/bin/snort -i ppp0 -D -c
/opt/etc/snort/snort.conf

I've also tried what I had before, which was eth1...I was getting alerts with
older snort version:

Dec 24 08:46:30 gateway snort[1779]: [122:20:0] (portscan) UDP Distributed
Portscan [Priority: 3] {PROTO:255} 66.150.8.4 -> externalIP

But no longer.  Complete configline is:

./configure --prefix=/opt --with-dnet-includes=/opt/include
--with-dnet-libraries=/opt/lib --with-daq-includes=/opt/lib
--with-daq-libraries=/opt/lib --enable-ipv6 --enable-zlib

Really strange.

Thank you.

James

From:  John Gay <john.gay () sourcefire com>
Date:  Fri, 24 Dec 2010 15:16:16 -0500
To:  James Lay <jlay () slave-tothe-box net>
Cc:  Snort <snort-users () lists sourceforge net>
Subject:  Re: [Snort-users] New snort install ipvar issue


What command are you using to start snort? Can you show the results of ps
-ef | grep snort

On Dec 24, 2010 2:40 PM, "James Lay" <jlay () slave-tothe-box net> wrote:

Thanks JohnÅ not running IPv6, but ehÅ whatever works.  Now it seems I've
muffed something as I get no alerts whatsoever even after doing an nmap on
it.  I did have 2.9.0.0 running fine on this, but now it seems nothing
causes an alert.  Anyone have any hints on why this would fire any alerts?
I even am testing ping outbound and inbound and nothing.  Config below:


SNIP


What command are you using to start snort? What output are you using?  Can
you show the results of ps -ef | grep snort



John




----------------------------------------------------------------------------
-- Learn how Oracle Real Application Clusters (RAC) One Node allows
customers to consolidate database storage, standardize their database
environment, and, should the need arise, upgrade to a full multi-node Oracle
RAC database without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl__________________________________________
_____ Snort-users mailing list Snort-users () lists sourceforge net Go to this
URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list
archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: