Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: mail regarding snort 3

From: Divyanshu Banerjee via Snort-users <snort-users () lists snort org>
Date: Sat, 15 Dec 2018 13:20:06 +0530
Thanks for the tip!

On Fri, Dec 14, 2018 at 7:43 PM Noah Dietrich <noah_dietrich () 86penny org>
wrote:


the command you are running looks correct (I have verified that you can
use the -R flag to load multiple rules files).  You should scroll up
through the output when you start snort to see how many rules you are
loading to make sure snort is loading all the rules correctly.
the next question is how you know the rules aren't working?  if you are
getting ICMP alerts (i assume you have a rule in your local.rules file to
detect icmp traffic), it is possible that snort is not seeing any traffic
that triggers any of the rules in the community-rules file.

On Fri, Dec 14, 2018 at 12:01 AM Divyanshu Banerjee <
divyanshubanerjee1 () gmail com> wrote:


Thanks, I'll check it out.
i am using the command to use both community rule and local rule, plus i
have used port mirroring  to receive the packets to my snort machine.
( sudo snort -c /usr/local/etc/snort/snort.lua -R
/usr/local/etc/snort/rules/local.rules -R
/usr/local/etc/snort/rules/snort3-community.rules -i eth0 -A alert_csv -s
65535 -k none -l /var/log/snort )


On Thu, Dec 13, 2018 at 11:52 PM Noah Dietrich <noah_dietrich () 86penny org>
wrote:


if you are only seeing alerts generated by ICMP packets, then it sounds
like either you only have a single rule enabled detecting ICMP packets, or
your traffic is not triggering any other alerts.  When you start snort, if
you scroll up through the output it will tell you how many rules it has
loaded. Here is an example of the number of rules loaded (829 rules) if you
use the basic community rules:

...
Loading rules:
Loading /usr/local/etc/snort/rules/snort3-community.rules:
Finished /usr/local/etc/snort/rules/snort3-community.rules.
Finished rules.
--------------------------------------------------
rule counts
rule counts
total rules loaded: 829
text rules: 829
option chains: 829
chain headers: 46
--------------------------------------------------


if you provide the command you are using to run snort with its output,
the rule files you are using, and your snort.lua file it would be easier to
identify where the problem is.

Noah



On Thu, Dec 13, 2018 at 12:25 PM Patrick Mullen (pamullen) via
Snort-users <snort-users () lists snort org> wrote:


Make sure that you are running snort as root and/or have permission to
put the interface into promiscuous mode.





Thanks,



~Patrick





*From: *Divyanshu Banerjee <divyanshubanerjee1 () gmail com>
*Date: *Thursday, December 13, 2018 at 6:19 AM
*To: *<snort-users () lists snort org>
*Subject: *[Snort-users] mail regarding snort 3



Dear member,

i am using snort 3 , But only receiving the list of ICMP packets and no
other packets are shown, plus it is not showing TCP alert,



thanks

Divyanshu
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette




_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: