RE: [Snort-users] Snort re-setup issues
This is a discussion on RE: [Snort-users] Snort re-setup issues within the Snort forums, part of the System Security and Security Related category; Thanks, but we got it solved. It ended up being a problem with the switch and not having the server ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-30-2004
|
|||
|
|||
RE: [Snort-users] Snort re-setup issues
Thanks, but we got it solved. It ended up being a problem with the
switch and not having the server on the right vlan to listen to the traffic properly :) Cheers, Greg On Tue, 2004-04-27 at 17:32, Truax, Shawn (MBS) wrote: > Hi Greg, > > Can you put a copy of your snort.conf up to look at. As well try > running a tcpdump on your interface (eth0) to see if traffic is being > captured. It seems from your email here you are not sure if snort is > actually seeing traffic. > > Shawn Truax > Security Specialist > Corporate Security > 155 University Ave. > Toronto, Ontario > M5H 3B7 > (416)327-1107 > > > -----Original Message----- > From: Greg Webster [mailto:greg@intouch.ca] > Sent: April 27, 2004 5:53 PM > To: snort-users@lists.sourceforge.net > Subject: [Snort-users] Snort re-setup issues > > > Heya, > > Maybe I just need to bounce this off someone for a sanity > check...advice > would be great. > > Our old SNORT box completely died, so I was unable to get the config > file from there to make this easy. > > The real problem now is that it's not logging anything coming in. > /var/log/snort/alert is empty. > > Here's some quick facts to hopefully narrow down the solution: > - Snort box IP address: 192.168.42.51 on eth0 > - eth0 is set to promiscuous mode > - Snort is listening to 64.69.xxx.xxx/27 > - The log files are created and appropriate permissions are given > (/var/log/snort) > - I've tried to change Snort to listen to 192.168.42.0/24, and > portscanning from another box in that network, but Snort didn't log > it. > - The box is behind two switches... > > I haven't seen a solution in my searching...any thoughts on where to > go > next? > > Thanks, > > Greg > > > ------------------------------------------------------- > This SF.Net email is sponsored by: Oracle 10g > Get certified on the hottest thing ever to hit the market... Oracle > 10g. > Take an Oracle 10g class now, and we'll give you the exam FREE. > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
