[Snort-users] Snort 1.8.7 does not log anything (OS: SuSE 8.1)
This is a discussion on [Snort-users] Snort 1.8.7 does not log anything (OS: SuSE 8.1) within the Snort forums, part of the System Security and Security Related category; Hello, I'm very confused. I have set up Snort 1.8.7 on a test box successfully (SuSE Linux ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-10-2003
|
|||
|
|||
[Snort-users] Snort 1.8.7 does not log anything (OS: SuSE 8.1)
Hello,
I'm very confused. I have set up Snort 1.8.7 on a test box successfully (SuSE Linux 8.1). If I run a nmap tcp scan from another box against the snort box, snorts logs several events to the file "/var/log/snort/alert", as exspected. Having things so tested out, I have set up snort in exactly the same manner on my production box (SuSE 8.1, too). But here, snort does not log anything. If I do a nmap tcp scan against this box, there are absolutely no entries in the alert file. I have compared the configuration files and the start scripts: They are identical (no wonder, the same system...). The nmap scan is detected by the firewall (iptables) and scanlogd (exactly as on my test box). No matter that snort "sees" the packets even when the firewall is active, I have tested the nmap scan with my firewall deactivated, but no change in behaviour, nothing is logged. The only difference (but I'm not sure whether this is relevant) is: The test box located in my home network has an ip (eth0) of 192.168.0.42/24. The production box is a root server directly connected to the internet, so the ip is xxx.xxx.xxx.xxx/32. Is it possible, that this fact produces the misbehaviour? My relevant "snort.conf" entries (at this time not modified by my self, but system defaults): var HOME_NET $eth0_ADDRESS var EXTERNAL_NET $HOME_NET var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET var RULE_PATH ./ var SHELLCODE_PORTS !80 var HTTP_PORTS 80 var ORACLE_PORTS 1521 preprocessor frag2 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode include classification.config include $RULE_PATH/bad-traffic.rules include ... Regarding to the snort faq 3.7, the variable $eth0_ADDRESS will be set to the ip/netmask of the interface which snort will be listening... Snort is invoked on my system as: /usr/bin/snort -d -D -i eth0 -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf And eth0 is the active interface of my server. (In addition I have tested the "-p" switch, but without success, too. Snort is starting up without errors, as shown by the system log, but does not log anything.) Where is my mistake? Regards from (cold) germany Ralf Mellis ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
