Snort mailing list archives

Re: snort suddenly stopped to record events

From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 24 Jul 2013 16:20:28 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 24/07/2013 15:00, Alex wrote:

Now, in snort.conf I have 2 lines defined for output:

output unified2: filename merged.log, limit 128

and

output alert_syslog: LOG_AUTH LOG_ALERT


Yes - there are 2 lines, so you have defined 2 different outputs.

Are you trying to output to unified2 (the first line), or syslog, or both?

I'd recommend sticking to unified2 only
unless you only want to read alerts via syslog, and then
I'd use the second line.

Personally I'm writing to unified2 and then using BY2
to read from those files and output to syslog and a DB.

Now, I've started snort as daemon and tried to generate some traffic again, 
telneting another host from the same source (192.168.51.59)

telnet 192.168.51.100 80! Unfortunatelly, this time tcpdump will show and 
record only arp request:

[root@ids ~]# tcpdump -i eth4 -v host 192.168.51.59
tcpdump: WARNING: eth4: no IPv4 address assigned
tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 96 
bytes
16:20:41.672663 arp who-has 192.168.51.59 tell 192.168.51.100


If tcpdump is not seeing your traffic on eth4 then that's nothing to do with Snort!

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division         Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR7/C8AAoJELhVoVpEMS6RlmkH/iR/3tbknhWYKgjijxtEwGim
gc5jJRy//OoGkv7HEF1bwhOE5tMxTk6Odt3tFMCtXxd71XsxY4OkG/XWuzvR5tIt
U88l3Qu8e7AVbWY2YgdqhPEhOC0GqfpOv6HkaOqVJbHsf+LGto3hbvCkzFlgTrO+
WhNhGFxmUZ7YHhUOcjhZxVFSFgiYD0FVkZpSW243MIe4ZdURscVDovo3nSU7g1tp
zCXVAgCYQO3t7jf9l0IcjKCsoOFHrUoae1DiU3Ej+IB5r9+oULKl3fwCJOY2jZyy
RJrhC2A8gKuJeg+UF7JlBzZY+CbCqU5LGXU0pIyEE8ev6xOKybdRrWkModuFHos=
=GynR
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort suddenly stopped to record events linux (Jul 22)
- Re: snort suddenly stopped to record events waldo kitty (Jul 22)
  - Re: snort suddenly stopped to record events linux (Jul 23)
    - Re: snort suddenly stopped to record events waldo kitty (Jul 23)
    - Re: snort suddenly stopped to record events Alex (Jul 24)
    - Re: snort suddenly stopped to record events Peter Bates (Jul 24)
    - Re: snort suddenly stopped to record events waldo kitty (Jul 24)
    - Re: snort suddenly stopped to record events Alex (Jul 26)
    - Re: snort suddenly stopped to record events waldo kitty (Jul 26)
    - Re: snort suddenly stopped to record events Alex (Jul 29)