Re: [Snort-users] oh, come on

This is a discussion on Re: [Snort-users] oh, come on within the Snort forums, part of the System Security and Security Related category; This is a MIME message. If you are reading this text, you may want to consider changing to a mail ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page Re: [Snort-users] oh, come on

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 09-26-2003
Shawn Truax
 
Posts: n/a
Default Re: [Snort-users] oh, come on
This is a MIME message. If you are reading this text, you may want to
consider changing to a mail reader or gateway that understands how to
properly handle MIME multipart messages.

--=_E5BBA3BD.D3B228A5
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Assuming everything is working and installed properly. I would recommend =
checking two things. One run a tcpdump on the interface that Snort is =
running on to make sure that there is traffic for Snort to process. I =
have done this myself a couple of times when I have had multiple interfaces=
and set the wrong one by mistake. =20

Two I would make sure you have snort rules turned on. Snort might be =
processing the data but there are no rules set for it to trigger on. Or =
there is just no traffic triggering the rules. Some days one of my =
sensors will go for hours without a rule trigger just because the traffic =
does not contain anything I am looking for. What I do is create a rule =
that triggers on all traffic (alert any any -> any any (msg:"Test =
Rule";sid:1234567;). Turn the rule on and let snort run. See if you are =
getting alerts and if you are turn the rule back off. Warning don't let =
this rule run for very long or unattended it will fill up your database =
and hard drive fast if you forget about it.

If everything above turns out ok. Check your connection to the database. =
Off the top of my head I am not too sure where everything is located to do =
this. I believe RedHat puts error messages in the messages log file if =
there are problems check there. You can use the mysqladmin PING command =
to make sure the database is running.

Oh and make sure you have set the output plug in properly for snort it =
should look something like this:

output database: alert, mysql, user=3D[database_login] password=3D[database=
_password] dbname=3D[database_name] host=3D[ip_of_database_computer] =
port=3D3306 sensor_name=3D[insert_sensor_name_here] detail=3Dfull

Hope this helps some or at least gets you started.

Shawn


>>> "Raymond Norton" <admin@lctn.org> 09/24/03 02:27pm >>>
Being the novice I am with compiling and diagnosing errors I was really
proud of myself when I followed the redhat 9.0 install docs and got
everything working. httpd, mysql, and snort are all running without
complaint. I pulled up the nice acid page and commenced to do a port scan,
but snort does not respond to it. My page stays the same (0 hits). I =
looked
over the faq to see what might be there, and verified that I have =
everything
set right. I substituted "log" with "alert" in the snort.conf without any
luck.

Any idea what I should be looking at to diagnose the problem?

Raymond




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...=3Dsnort-users

--=_E5BBA3BD.D3B228A5
Content-Type: text/html
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=TEXT.htm

PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE 1MIDQuMCBUcmFuc2l0aW9uYWwv
L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1lcXVpdj 1Db250ZW50LVR5cGUgY29udGVu
dD0idGV4dC9odG1sOyBjaGFyc2V0PWlzby04ODU5LTEiPg0KPE 1FVEEgY29udGVudD0iTVNIVE1M
IDYuMDAuMjgwMC4xMjI2IiBuYW1lPUdFTkVSQVRPUj48L0hFQU Q+DQo8Qk9EWSBzdHlsZT0iTUFS
R0lOLVRPUDogMnB4OyBGT05UOiAxMHB0IE1TIFNhbnMgU2VyaW Y7IE1BUkdJTi1MRUZUOiAycHgi
Pg0KPERJVj5Bc3N1bWluZyBldmVyeXRoaW5nIGlzIHdvcmtpbm cgYW5kIGluc3RhbGxlZCBwcm9w
ZXJseS4mbmJzcDsgSSB3b3VsZCANCnJlY29tbWVuZCBjaGVja2 luZyB0d28gdGhpbmdzLiZuYnNw
OyBPbmUgcnVuIGEgdGNwZHVtcCBvbiB0aGUgaW50ZXJmYWNlIH RoYXQgDQpTbm9ydCBpcyBydW5u
aW5nIG9uIHRvIG1ha2Ugc3VyZSB0aGF0IHRoZXJlIGlzIHRyYW ZmaWMgZm9yIFNub3J0IHRvIA0K
cHJvY2Vzcy4mbmJzcDsgSSBoYXZlIGRvbmUgdGhpcyBteXNlbG YgYSBjb3VwbGUgb2YgdGltZXMg
d2hlbiBJIGhhdmUgaGFkIA0KbXVsdGlwbGUgaW50ZXJmYWNlcy BhbmQgc2V0IHRoZSB3cm9uZyBv
bmUgYnkgbWlzdGFrZS4mbmJzcDsgPC9ESVY+DQo8RElWPiZuYn NwOzwvRElWPg0KPERJVj5Ud28g
SSB3b3VsZCBtYWtlIHN1cmUgeW91IGhhdmUgc25vcnQgcnVsZX MgdHVybmVkIG9uLiZuYnNwOyBT
bm9ydCBtaWdodCBiZSANCnByb2Nlc3NpbmcgdGhlIGRhdGEgYn V0IHRoZXJlIGFyZSBubyBydWxl
cyBzZXQgZm9yIGl0IHRvIHRyaWdnZXIgb24uJm5ic3A7IE9yIA 0KdGhlcmUgaXMganVzdCBubyB0
cmFmZmljIHRyaWdnZXJpbmcgdGhlIHJ1bGVzLiZuYnNwOyBTb2 1lIGRheXMgb25lIG9mIG15IHNl
bnNvcnMgDQp3aWxsIGdvIGZvciBob3VycyB3aXRob3V0IGEgcn VsZSB0cmlnZ2VyIGp1c3QgYmVj
YXVzZSB0aGUgdHJhZmZpYyBkb2VzIG5vdCANCmNvbnRhaW4gYW 55dGhpbmcgSSBhbSBsb29raW5n
IGZvci4mbmJzcDsgV2hhdCBJIGRvIGlzJm5ic3A7Y3JlYXRlIG EgcnVsZSB0aGF0IA0KdHJpZ2dl
cnMgb24gYWxsIHRyYWZmaWMmbmJzcDsgKGFsZXJ0IGFueSBhbn kgLSZndDsgYW55IGFueSAobXNn
OiJUZXN0IA0KUnVsZSI7c2lkOjEyMzQ1Njc7KS4mbmJzcDsgVH VybiB0aGUgcnVsZSBvbiBhbmQg
bGV0IHNub3J0IHJ1bi4mbmJzcDsgU2VlIGlmIHlvdSANCmFyZS BnZXR0aW5nIGFsZXJ0cyBhbmQg
aWYgeW91IGFyZSB0dXJuIHRoZSBydWxlIGJhY2sgb2ZmLiZuYn NwOyBXYXJuaW5nIGRvbid0IA0K
bGV0IHRoaXMgcnVsZSBydW4gZm9yIHZlcnkgbG9uZyBvciB1bm F0dGVuZGVkIGl0IHdpbGwgZmls
bCB1cCB5b3VyIGRhdGFiYXNlIGFuZCANCmhhcmQgZHJpdmUgZm FzdCBpZiB5b3UgZm9yZ2V0IGFi
b3V0IGl0LjwvRElWPg0KPERJVj4mbmJzcDs8L0RJVj4NCjxESV Y+SWYgZXZlcnl0aGluZyBhYm92
ZSB0dXJucyBvdXQgb2suJm5ic3A7IENoZWNrIHlvdXIgY29ubm VjdGlvbiB0byB0aGUgDQpkYXRh
YmFzZS4mbmJzcDsgT2ZmIHRoZSB0b3Agb2YgbXkgaGVhZCBJIG FtIG5vdCB0b28gc3VyZSB3aGVy
ZSBldmVyeXRoaW5nIGlzIA0KbG9jYXRlZCB0byBkbyB0aGlzLi ZuYnNwOyBJIGJlbGlldmUgUmVk
SGF0IHB1dHMgZXJyb3IgbWVzc2FnZXMgaW4gdGhlIG1lc3NhZ2 VzIA0KbG9nIGZpbGUgaWYgdGhl
cmUgYXJlIHByb2JsZW1zIGNoZWNrIHRoZXJlLiZuYnNwOyZuYn NwOyBZb3UgY2FuIHVzZSB0aGUg
DQpteXNxbGFkbWluIFBJTkcgY29tbWFuZCB0byBtYWtlIHN1cm UgdGhlIGRhdGFiYXNlIGlzIHJ1
bm5pbmcuPC9ESVY+DQo8RElWPiZuYnNwOzwvRElWPg0KPERJVj 5PaCBhbmQgbWFrZSBzdXJlIHlv
dSBoYXZlIHNldCB0aGUgb3V0cHV0IHBsdWcgaW4gcHJvcGVybH kgZm9yIHNub3J0IGl0IA0Kc2hv
dWxkIGxvb2sgc29tZXRoaW5nIGxpa2UgdGhpczo8L0RJVj4NCj xESVY+Jm5ic3A7PC9ESVY+DQo8
RElWPm91dHB1dCBkYXRhYmFzZTombmJzcDthbGVydCwgbXlzcW wsIHVzZXI9W2RhdGFiYXNlX2xv
Z2luXSANCnBhc3N3b3JkPVtkYXRhYmFzZV9wYXNzd29yZF0gDQ pkYm5hbWU9W2RhdGFiYXNlX25h
bWVdJm5ic3A7aG9zdD1baXBfb2ZfZGF0YWJhc2VfY29tcHV0ZX JdJm5ic3A7cG9ydD0zMzA2IA0K
c2Vuc29yX25hbWU9W2luc2VydF9zZW5zb3JfbmFtZV9oZXJlXS BkZXRhaWw9ZnVsbDxCUj48L0RJ
Vj4NCjxESVY+SG9wZSB0aGlzIGhlbHBzIHNvbWUgb3IgYXQgbG Vhc3QgZ2V0cyB5b3Ugc3RhcnRl
ZC48L0RJVj4NCjxESVY+Jm5ic3A7PC9ESVY+DQo8RElWPlNoYX duPC9ESVY+DQo8RElWPiZuYnNw
OzwvRElWPg0KPERJVj48QlI+Jmd0OyZndDsmZ3Q7ICJSYXltb2 5kIE5vcnRvbiIgJmx0O2FkbWlu
QGxjdG4ub3JnJmd0OyAwOS8yNC8wMyAwMjoyN3BtIA0KJmd0Oy ZndDsmZ3Q7PEJSPkJlaW5nIHRo
ZSBub3ZpY2UgSSBhbSB3aXRoIGNvbXBpbGluZyBhbmQgZGlhZ2 5vc2luZyBlcnJvcnMgSSB3YXMg
DQpyZWFsbHk8QlI+cHJvdWQgb2YgbXlzZWxmIHdoZW4gSSBmb2 xsb3dlZCB0aGUgcmVkaGF0IDku
MCBpbnN0YWxsIGRvY3MgYW5kIA0KZ290PEJSPmV2ZXJ5dGhpbm cgd29ya2luZy4gaHR0cGQsIG15
c3FsLCBhbmQgc25vcnQgYXJlIGFsbCBydW5uaW5nIA0Kd2l0aG 91dDxCUj5jb21wbGFpbnQuIEkg
cHVsbGVkIHVwIHRoZSBuaWNlIGFjaWQgcGFnZSBhbmQgY29tbW VuY2VkIHRvIGRvIGEgcG9ydCAN
CnNjYW4sPEJSPmJ1dCBzbm9ydCBkb2VzIG5vdCByZXNwb25kIH RvIGl0LiBNeSBwYWdlIHN0YXlz
IHRoZSBzYW1lICgwIGhpdHMpLiBJIA0KbG9va2VkPEJSPm92ZX IgdGhlIGZhcSB0byBzZWUgd2hh
dCBtaWdodCBiZSB0aGVyZSwgYW5kIHZlcmlmaWVkIHRoYXQgSS BoYXZlIA0KZXZlcnl0aGluZzxC
Uj5zZXQgcmlnaHQuIEkgc3Vic3RpdHV0ZWQgImxvZyIgd2l0aC AiYWxlcnQiIGluIHRoZSBzbm9y
dC5jb25mIA0Kd2l0aG91dCBhbnk8QlI+bHVjay48QlI+PEJSPk FueSBpZGVhIHdoYXQgSSBzaG91
bGQgYmUgbG9va2luZyBhdCB0byBkaWFnbm9zZSB0aGUgDQpwcm 9ibGVtPzxCUj48QlI+UmF5bW9u
ZDxCUj48QlI+PEJSPjxCUj48QlI+LS0tLS0tLS0tLS0tLS0tLS 0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLTxCUj5UaGlzIA0Kc2YubmV0IG VtYWlsIGlzIHNwb25zb3JlZCBi
eTpUaGlua0dlZWs8QlI+V2VsY29tZSB0byBnZWVrIGhlYXZlbi 48QlI+PEEgDQpocmVmPSJodHRw
Oi8vdGhpbmtnZWVrLmNvbS9zZiI+aHR0cDovL3RoaW5rZ2Vlay 5jb20vc2Y8L0E+PEJSPl9fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX1 9fX19fPEJSPlNub3J0LXVzZXJz
IA0KbWFpbGluZyBsaXN0PEJSPlNub3J0LXVzZXJzQGxpc3RzLn NvdXJjZWZvcmdlLm5ldDxCUj5H
byB0byB0aGlzIFVSTCB0byBjaGFuZ2UgDQp1c2VyIG9wdGlvbn Mgb3IgdW5zdWJzY3JpYmU6PEJS
PjxBIA0KaHJlZj0iaHR0cHM6Ly9saXN0cy5zb3VyY2Vmb3JnZS 5uZXQvbGlzdHMvbGlzdGluZm8v
c25vcnQtdXNlcnMiPmh0dHBzOi8vbGlzdHMuc291cmNlZm9yZ2 UubmV0L2xpc3RzL2xpc3RpbmZv
L3Nub3J0LXVzZXJzPC9BPjxCUj5Tbm9ydC11c2VycyANCmxpc3 QgYXJjaGl2ZTo8QlI+PEEgDQpo
cmVmPSJodHRwOi8vd3d3Lmdlb2NyYXdsZXIuY29tL3JlZGlyLX NmLnBocDM/bGlzdD1zbm9ydC11
c2VycyI+aHR0cDovL3d3dy5nZW9jcmF3bGVyLmNvbS9yZWRpci 1zZi5waHAzP2xpc3Q9c25vcnQt
dXNlcnM8L0E+PEJSPjxCUj48L0RJVj48L0JPRFk+PC9IVE1MPg 0K

--=_E5BBA3BD.D3B228A5--



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 12:38 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0