Re: no IDS logs from snort

[Ray Caparros <arcy24 () gmail com>]

Glad to know you got it working!
 On Mar 11, 2013 1:56 PM, "Kevin Thomas" <kpt2078 () gmail com> wrote:

> All, I think this problem is resolved now.  I deleted all of my snort
> rules under /etc/snort/rules and then I changed my source from "Sourcefire
> VRT for registered users" to "EmergingThreats.net Community rules" and then
> pulled the updates for the new rules, selected the rules I wanted to use,
> and then stopped and restarted snort. Not long afterward, it began writing
> to the /var/log/snort/alert file and guardian could finally act on the
> alerts.  Next on the agenda is to find out why the guardian process keeps
> dieing and restarting automatically every 20 minutes or so, releasing all
> the IP blocks when it restarts.  Thanks to everyone who offered
> insight/suggestions.
>
> Kevin
>
>
> On Mon, Mar 11, 2013 at 11:53 AM, waldo kitty <wkitty42 () windstream net>wrote:
>
> > On 3/8/2013 17:44, Kevin Thomas wrote:
> > > This is the contents of the /etc/snort directory.  The files owned by
> > root:root were created by me.
> > > -rw-r--r-- 1 root   root      152 2013-03-06 18:13 readme.txt
> > > drwxr-xr-x 2 nobody nobody  12288 2013-03-06 23:37 rules
> > > -rw-r--r-- 1 nobody nobody  19506 2013-03-06 23:57 snort.conf
> > > -rw-r--r-- 1 nobody nobody  19506 2013-02-16 11:03 snort.conf.orig
> > > -rwxr-xr-x 1 root   root       73 2013-03-06 18:38 snort-test.sh
> > > -rwxr-xr-x 1 root   root       29 2013-03-07 00:01 start.sh
> > > -rwxr-xr-x 1 root   root       28 2013-03-07 00:02 stop.sh
> > > -rw-r--r-- 1 nobody nobody 160606 2013-02-16 11:03 unicode.map
> > > -rw-r--r-- 1 root   root      104 2013-03-07 00:03 vars
> >
> > what are the contents of this vars file? what creates it? when?
> >
> > > # taken from /etc/snort vars
> > > #ipvar HOME_NET any
> > >
> > > # Set up the external network addresses. Leave as "any" in most
> > situations
> > > ipvar EXTERNAL_NET any
> >
> > i ask about that vars file because it is referenced above... you did not
> > post
> > your entire snort.conf so i can't see if there's an "include
> > /etc/snort/vars"
> > line in it as is indicated there should be...
> >
> > i'm thinking that file may need to be nobody:nobody because snort is
> > likely
> > running as nobody... that's the way we do it anyway ;)
> >
> >
> > ------------------------------------------------------------------------------
> > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> > endpoint security space. For insight on selecting the right partner to
> > tackle endpoint security challenges, access the full report.
> > http://p.sf.net/sfu/symantec-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!