Re: No Events/Alerts Arriving in Snorby

[waldo kitty <wkitty42 () windstream net>]

On 9/12/2014 3:47 PM, Matt M. wrote:
> Second, I've added the following rule to my snort.conf
> alert ip any any -> any any (msg: "ICMP packet detected!"; sid: 1;)
>
> Then turned off my firewall and started a ping, but nothing happens in Snorby.

start at the beginning of the trail and follow it to the end...

1. is snort generating an alert?
2. is the alert being written to snort's u2(??) file?
3. is barnyard reading that u2(??) file?
4. is barnyard placing the alert into the database?
5. if #4 is yes, /what/ table is the alert placed in?
6. is snorby reading the same table?

if you are running these tools on separate machines, ensure that the time on the 
machines is synced properly... it is pretty easy for a few seconds difference to 
throw things off...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!