RE: [Snort-users] Snort re-setup issues

permalink · #1 (**permalink**) 04-28-2004

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C42CB8.3F3E6A28
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Hi Greg,

Can you put a copy of your snort.conf up to look at. As well try running a
tcpdump on your interface (eth0) to see if traffic is being captured. It
seems from your email here you are not sure if snort is actually seeing
traffic.

Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107

-----Original Message-----
From: Greg Webster [mailto:greg@intouch.ca]
Sent: April 27, 2004 5:53 PM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Snort re-setup issues

Heya,

Maybe I just need to bounce this off someone for a sanity check...advice
would be great.

Our old SNORT box completely died, so I was unable to get the config
file from there to make this easy.

The real problem now is that it's not logging anything coming in.
/var/log/snort/alert is empty.

Here's some quick facts to hopefully narrow down the solution:
- Snort box IP address: 192.168.42.51 on eth0
- eth0 is set to promiscuous mode
- Snort is listening to 64.69.xxx.xxx/27
- The log files are created and appropriate permissions are given
(/var/log/snort)
- I've tried to change Snort to listen to 192.168.42.0/24, and
portscanning from another box in that network, but Snort didn't log it.
- The box is behind two switches...

I haven't seen a solution in my searching...any thoughts on where to go
next?

Thanks,

Greg

-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

------_=_NextPart_001_01C42CB8.3F3E6A28
Content-Type: text/html;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2656.60">
<TITLE>RE: [Snort-users] Snort re-setup issues</TITLE>
</HEAD>
<BODY>

Hi Greg,


Can you put a copy of your snort.conf up to look =
at.  As well try running a tcpdump on your interface (eth0) to see =
if traffic is being captured.  It seems from your email here you =
are not sure if snort is actually seeing traffic.

Shawn Truax
 Security Specialist
 Corporate Security
 155 University Ave.
 Toronto, Ontario
 M5H 3B7
 (416)327-1107

 

-----Original Message-----
 From: Greg Webster [<A =
HREF=3D"mailto:greg@intouch.ca">mailto:greg@intouc h.ca</A>]
 Sent: April 27, 2004 5:53 PM
 To: snort-users@lists.sourceforge.net
 Subject: [Snort-users] Snort re-setup issues

 

Heya,


Maybe I just need to bounce this off someone for a =
sanity check...advice
 would be great.


Our old SNORT box completely died, so I was unable to =
get the config
 file from there to make this easy.


The real problem now is that it's not logging =
anything coming in.
 /var/log/snort/alert is empty.


Here's some quick facts to hopefully narrow down the =
solution:
 - Snort box IP address: 192.168.42.51 on eth0
 - eth0 is set to promiscuous mode
 - Snort is listening to 64.69.xxx.xxx/27
 - The log files are created and appropriate =
permissions are given
 (/var/log/snort)
 - I've tried to change Snort to listen to =
192.168.42.0/24, and
 portscanning from another box in that network, but =
Snort didn't log it.
 - The box is behind two switches...


I haven't seen a solution in my searching...any =
thoughts on where to go
 next?


Thanks,


Greg

 

-------------------------------------------------------
 This SF.Net email is sponsored by: Oracle 10g
 Get certified on the hottest thing ever to hit the =
market... Oracle 10g. 
 Take an Oracle 10g class now, and we'll give you the =
exam FREE. 
 <A =
HREF=3D"http://ads.osdn.com/?ad_id=3D3149&alloc_id=3D8166&op=3Dclick" =
TARGET=3D"_blank">http://ads.osdn.com/?ad_id=3D3149&al...=3D8166&op=3D=
click</A>
 _________________________________________ ______
 Snort-users mailing list
 Snort-users@lists.sourceforge.net
 Go to this URL to change user options or =
unsubscribe:
 <A =
HREF=3D"https://lists.sourceforge.net/lists/listinfo/snort-users" =
TARGET=3D"_blank">https://lists.sourceforge.net/lists/listinfo/snort-use=
rs</A>
 Snort-users list archive:
 <A =
HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users" =
TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-u=
sers</A>


</BODY>
</HTML>
------_=_NextPart_001_01C42CB8.3F3E6A28--

-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode