Snort mailing list archives
Re: snort
From: Nick Moore <nmoore () sourcefire com>
Date: Fri, 2 Mar 2012 09:25:47 -0600
Jagan, Are you seeing traffic that would generate any events besides ICMP events? The snort.conf doesn't seem to contain any problems that I can catch at a glance. A good way to test your policy is to download some sample pcaps from http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=Publicly_available_PCAP_filesand test your snort instance with them, using: snort -c c:\snort\snort.conf -r c:\pcap\sample.pcap assuming that you put your downloaded pcap file in the path c:\pcap and named it sample.pcap. I used the W32/Sdbot infected machine pcap and with a standard set of rules got one alert. Also, please cc the entire list on replies, not just me. You'll get faster responses that way. Thanks! Nick On Fri, Mar 2, 2012 at 6:26 AM, Jagan Mohan Reddy D < jagan.mohan507 () gmail com> wrote:
Nick, Thanks for your reply.....!!!!!!!! Now i'm running fine at some point of time...... I'm running SNORT on WIN by the following command... C:\snort\bin> snort -dev -c C:\snort\etc\snot.conf I my log file i'm able to logging only ICMP packets.... Why the snort stores only the ICMP packets in the log file, why not others.....? Here i'm attaching my log file as well as snort.conf......! can please tell me, any thing wrong with my conf file.... ---------------- Thanks & Regards D J M Reddy On 14 February 2012 18:19, Nick Moore <nmoore () sourcefire com> wrote:Jagan, My guess is that your snort.conf file contains a reference to log/merged.log. Since the "/" is used in linux/unix systems and the "\" is used in Windows, you should find that reference in snort.conf and edit it to match the proper file name and path on your system. Also, please consider moving to linux/unix. Shared object rules are not available for Windows and this leaves you unprotected against a number of threats. If you need more specific help, please also consider attaching your snort.conf file to these requests. It will likely speed up response time and give those that would help more information. Happy Snorting, Nick On Tue, Feb 14, 2012 at 6:23 AM, Jagan Mohan Reddy D < jagan.mohan507 () gmail com> wrote:I am runing snort on WIN XP I am executing snort with Mysql..... While runing snort on win XP, i got the following error... C:\snort\bin> snort -c C:\Snort\etc\snort.conf +---------------------------------------------------------------- [ Number of patterns truncated to 20 bytes: 1012 ] pcap DAQ configured to passive. Acquiring network traffic from "\Device\NPF_{D2775E7F-A95E-4DC5-AB8D-CCFE1A2DF92 6}". Decoding Ethernet ERROR: C:\Documents and Settings\Administrator\My Documents\snortbuild\snort-2.9 .1.2\src\output-plugins\spo_unified2.c(302) Could not open log/merged.log: No such file or directory Fatal Error, Quitting.. I am unable to locate the that path in my system... whats wrong with my Snort....? Can any one reply me..... ---------------- Thanks & records D J M Reddy ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Nick Moore, SFCE, CISSP, CISA Sr. Systems Engineer Voice 708-336-9041 Email nick.moore () sourcefire com IM nickgmoore (Yahoo) nickgmoore38 (AIM) ,,_ o" )~ Sourcefire - The Creators of Snort '''' www.sourcefire.com www.snort.org www.immunet.com
--
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM nickgmoore (Yahoo)
nickgmoore38 (AIM)
,,_
o" )~ Sourcefire - The Creators of Snort
''''
www.sourcefire.com www.snort.org www.immunet.com
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!