Snort mailing list archives
Re: Snort doesn't react on rules - help a new snort user
From: Simon Blixt <blixten_496 () hotmail com>
Date: Mon, 23 Apr 2012 07:12:00 +0000
Hi, once again, a big thanks. Now I get it all running, but it still doesn't react on my rules.. Snort does receive and forwards packet according to the display after I've used CTRL+C. I noticed that when I start Snort it says "Using libpcap version 1.0.0" and also PCRE and ZLIB, shouldn't DAQ be there to..? I don't know what you need to see so figure out what may be wrong.. Since I'm not receiving any errors I don't know where to look :/. I'm trying my own rule, "alert tcp any any -> any any (content:www.uid11.local" msg:"xxx"; sid: 1241231;)", and surfing to www.uid11.local from my client to the webserver. Yours, Blixten Date: Mon, 23 Apr 2012 08:39:59 +0200 Subject: Re: [Snort-users] Snort doesn't react on rules - help a new snort user From: lysemose () gmail com To: blixten_496 () hotmail com CC: snort-users () lists sourceforge net Hi Blixten I don't run IPS anymore but last time I tried it, I used this command to fire up Snort. /usr/local/snort/bin/snort --daq afpacket -Q -c /usr/local/snort/etc/snort.conf -i eth1:eth2 --daq-dir /usr/local/lib/daq You only need to setup the two interfaces you will be running monitoring interfaces on, eth1 and eth2. The management interface is normal static or DHCP configured. auto eth1 iface eth1 inet manualup ifconfig eth1 0.0.0.0 upup ip link set eth1 promisc on auto eth2iface eth2 inet manual up ifconfig eth2 0.0.0.0 upup ip link set eth2 promisc on Yes, you should disable IPv4-forwarding since Snort will handle this through the internal bridge. /Lysemose
------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort doesn't react on rules - help a new snort user Simon Blixt (Apr 21)
- Re: Snort doesn't react on rules - help a new snort user Heine Lysemose (Apr 22)
- Re: Snort doesn't react on rules - help a new snort user Simon Blixt (Apr 22)
- Re: Snort doesn't react on rules - help a new snort user Heine Lysemose (Apr 22)
- Re: Snort doesn't react on rules - help a new snort user Simon Blixt (Apr 23)
- Re: Snort doesn't react on rules - help a new snort user Heine Lysemose (Apr 23)
- Re: Snort doesn't react on rules - help a new snort user Simon Blixt (Apr 23)
- Re: Snort doesn't react on rules - help a new snort user Heine Lysemose (Apr 23)
- Message not available
- FW: Snort doesn't react on rules - help a new snort user [Solved] Simon Blixt (Apr 23)
- Re: FW: Snort doesn't react on rules - help a new snort user [Solved] Heine Lysemose (Apr 23)
- Re: Snort doesn't react on rules - help a new snort user Simon Blixt (Apr 22)
- Re: Snort doesn't react on rules - help a new snort user Heine Lysemose (Apr 22)