Re: Snort Reporting and logs

[Joel Esler <jesler () sourcefire com>]

It looks like your snort.conf is looking for your reference.config file and
it can't find it.

Looks like you wrote "/user/local" instead of "/usr/local"

Maybe a typo?

Joel

On Thu, Jan 13, 2011 at 9:03 AM, Atkins, Dwane P <ATKINSD () uthscsa edu>wrote:

> When I ran the /usr/local/snort/bib/snort –D –u snort –g snort –c
> /usr/local/snort/etc/snort.conf –I eth1, packets started processing.  This
> is the same command I have in the RC.LOCAL.
>
>
>
> However, I did receive the following error: ERROR: Unable to open Reference
> file '/user/local/snort/etc/reference.config' (No such file or directory)
>
>
>
> And something just isn't right.  When I go to web into
> http://10.10.10.10/snortreport-1.3.1/alerts.php, it does not appear to
> want to speak.
>
>
>
> I know these are an awful lot of questions.  I was reading a book on snort
> last night hoping to find some answers.
>
>
>
> I am still looking for the perfect management console. I do not want to
> purchase an appliance or anything and we have limited financial resources
> but I would like a management console where we can manage multiple sensor,
> do some reporting and also manage events, such as deleting them and marking
> them as low priority or do not trigger.
>
>
>
> Is there something like this out there?
>
>
> Thanks for all your help.
>
>
> Dwane
>
>
>
> *From:* Joel Esler [mailto:jesler () sourcefire com]
> *Sent:* Thursday, January 13, 2011 7:27 AM
>
> *To:* Atkins, Dwane P
> *Cc:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] Snort Reporting and logs
>
>
>
> I don't see Snort on that list at all. Just looks like Barnyard is running,
> not Snort.
>
> --
>
> Sent from my iPhone
>
> Skype:eslerjoel
>
>
> On Jan 13, 2011, at 8:17 AM, "Atkins, Dwane P" <ATKINSD () uthscsa edu>
> wrote:
>
> It shows it trying to load?  I am guessing this is what the “?” in the PID
> means?
>
>
>
> Dwane
>
>
>
> ps -ef | grep snort
>
> root      1432  1206  0 Jan12 ?        00:01:57 /usr/local/bin/barnyard2 -c
> /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S
> /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w
> /var/log/snort/barnyard2.waldo
>
> dubay     2109  2080  0 07:21 pts/0    00:00:00 grep --color=auto snort
>
>
>
> *From:* Joel Esler [mailto:jesler () sourcefire com]
> *Sent:* Wednesday, January 12, 2011 5:29 PM
> *To:* Atkins, Dwane P
> *Cc:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] Snort Reporting and logs
>
>
>
> Are you sure Snort is still running, and on the correct interface?
>
> Sent from my iPad
>
>
> On Jan 12, 2011, at 5:56 PM, "Atkins, Dwane P" <ATKINSD () uthscsa edu>
> wrote:
>
> Snort 2.9.0.3 has been installed on a PowerEdge 2850.  I have a pretty
> decent hard drive on it and more if I need to do LVM.  However, when I try
> to use the http://snortbox/snortreport-1.3.1/alerts.php, it will not
> view.  So I look to see if I am actually logging packets and I go to
> /var/log/snort and I see the barnyard2.waldo has not been updated in almost
> 17 hours and that snort.u2.12$$$$$$  has not been up dates sfor 17 hours
> either.  This is the busiest Vlan on campus and I am sure will always be
> updated.
>
>
>
> My questions are,
>
>
>
> 1.)     How do I ensure that the logging continues?  What does it stop
> like that? And---
>
> 2.)    Is there a reporting tool that is more reliable for me than
> SnortReports and if so, what do you all recommedn and is tehre install
> instructions for both installation and extrapulating the proper traffic from
> the Snort Sensors.?
>
>
>
> Thanks
>
>
> Dwane
>
>
>
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Joel Esler
Skype:eslerjoel
http://blog.snort.org

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users