RE: [Snort-users] No alert detection on alert console
This is a discussion on RE: [Snort-users] No alert detection on alert console within the Snort forums, part of the System Security and Security Related category; This message is in MIME format. Since your mail reader does not understand this format, some or all of this ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-12-2004
|
|||
|
|||
RE: [Snort-users] No alert detection on alert console
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible. ------_=_NextPart_001_01C437FF.61FE57AD Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Hi, First thing I would recommend is to make sure there is traffic reaching your sniffing port. Run TCPDUMP on this interface to make sure there is traffic for Snort to work on. Next run Snort and have it display the alerts to the screen so you can see if it is actually alerting. (Check the manual for the settings required to do this.) If Snort is generating alerts check to see if you have all your database info setup properly with passwords and privileges. If your database is setup properly, run TCPDUMP on the database listener interface to see if your Snort Sensor is trying to connect to it. Check these things first and correct any problems. If this is all working and you are still having issues post up your config files for a look see. Whenever there is a problem you should always start at the beginning where a packet arrives and work your way logically through the system at each stage to see if the information is getting passed on. Shawn Truax Security Specialist Corporate Security 155 University Ave. Toronto, Ontario M5H 3B7 (416)327-1107 -----Original Message----- From: Naveen C Joshi [mailto:naveen_joshi@intersolutions.stpn.soft.net] Sent: May 12, 2004 3:32 AM To: snort-users@lists.sourceforge.net Subject: [Snort-users] No alert detection on alert console Hi All : I have installed Snort-2.1 and ACID-0.9.6 on my REDHAT 9.0 by using the document "snort_enterprise.pdf" written by Steven J. Scott. I have gone through as per steps mentioned on the document and everything is working fine, but at my "alert console" there is no traffic/alert detection. Even the TCP, UDP & ICMP traffic is also 0%. I have explored on the database there is no event on the event tables and 1 sensor created on the sensor table. I have installed one another snortcenter agent on other machine and configured the sensor for it in management console. This sensor is also not in my sensor table. My sensor & snort daemon are running properly. The snort database user have enough permission on the db. Please suggest me how can I resolve this problem. Best Regards Naveen ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...rom=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users ------_=_NextPart_001_01C437FF.61FE57AD Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2656.60"> <TITLE>RE: [Snort-users] No alert detection on alert console</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Hi,</FONT> </P> <P><FONT SIZE=3D2>First thing I would recommend is to make sure there = is traffic reaching your sniffing port. Run TCPDUMP on this = interface to make sure there is traffic for Snort to work on. = Next run Snort and have it display the alerts to the screen so you can = see if it is actually alerting. (Check the manual for the = settings required to do this.) If Snort is generating alerts = check to see if you have all your database info setup properly with = passwords and privileges. If your database is setup properly, run = TCPDUMP on the database listener interface to see if your Snort Sensor = is trying to connect to it. Check these things first and correct any = problems. If this is all working and you are still having issues = post up your config files for a look see.</FONT></P> <P><FONT SIZE=3D2>Whenever there is a problem you should always start = at the beginning where a packet arrives and work your way logically = through the system at each stage to see if the information is getting = passed on.</FONT></P> <P><FONT SIZE=3D2>Shawn Truax</FONT> <BR><FONT SIZE=3D2>Security Specialist</FONT> <BR><FONT SIZE=3D2>Corporate Security</FONT> <BR><FONT SIZE=3D2>155 University Ave.</FONT> <BR><FONT SIZE=3D2>Toronto, Ontario</FONT> <BR><FONT SIZE=3D2>M5H 3B7</FONT> <BR><FONT SIZE=3D2>(416)327-1107</FONT> </P> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Naveen C Joshi [<A = HREF=3D"mailto:naveen_joshi@intersolutions.stpn.so ft.net">mailto:naveen_= joshi@intersolutions.stpn.soft.net</A>]</FONT> <BR><FONT SIZE=3D2>Sent: May 12, 2004 3:32 AM</FONT> <BR><FONT SIZE=3D2>To: snort-users@lists.sourceforge.net</FONT> <BR><FONT SIZE=3D2>Subject: [Snort-users] No alert detection on alert = console</FONT> </P> <BR> <P><FONT SIZE=3D2>Hi All :</FONT> </P> <P><FONT SIZE=3D2>I have installed Snort-2.1 and ACID-0.9.6 on my = REDHAT 9.0 by using the</FONT> <BR><FONT SIZE=3D2>document "snort_enterprise.pdf" written by = Steven J. Scott.</FONT> </P> <P><FONT SIZE=3D2>I have gone through as per steps mentioned on the = document and everything is</FONT> <BR><FONT SIZE=3D2>working fine, but at my "alert console" = there is no traffic/alert detection.</FONT> <BR><FONT SIZE=3D2>Even the TCP, UDP & ICMP traffic is also = 0%.</FONT> </P> <P><FONT SIZE=3D2>I have explored on the database there is no event on = the event tables and 1</FONT> <BR><FONT SIZE=3D2>sensor created on the sensor table.</FONT> <BR><FONT SIZE=3D2>I have installed one another snortcenter agent on = other machine and</FONT> <BR><FONT SIZE=3D2>configured the sensor for it in management console. = This sensor is also not</FONT> <BR><FONT SIZE=3D2>in my sensor table.</FONT> </P> <BR> <P><FONT SIZE=3D2>My sensor & snort daemon are running properly. = The snort database user have</FONT> <BR><FONT SIZE=3D2>enough permission on the db.</FONT> </P> <P><FONT SIZE=3D2>Please suggest me how can I resolve this = problem.</FONT> </P> <P><FONT SIZE=3D2>Best Regards</FONT> </P> <P><FONT SIZE=3D2>Naveen</FONT> </P> <BR> <BR> <P><FONT = SIZE=3D2>-------------------------------------------------------</FONT> <BR><FONT SIZE=3D2>This SF.Net email is sponsored by Sleepycat = Software</FONT> <BR><FONT SIZE=3D2>Learn developer strategies Cisco, Motorola, Ericsson = & Lucent use to </FONT> <BR><FONT SIZE=3D2>deliver higher performing products faster, at low = TCO.</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"http://www.sleepycat.com/telcomwpreg.php?From=3Dosdnemail3" = TARGET=3D"_blank">http://www.sleepycat.com/telcomwpreg.php?From=3Dosdnem= ail3</A></FONT> <BR><FONT = SIZE=3D2>_________________________________________ ______</FONT> <BR><FONT SIZE=3D2>Snort-users mailing list</FONT> <BR><FONT SIZE=3D2>Snort-users@lists.sourceforge.net</FONT> <BR><FONT SIZE=3D2>Go to this URL to change user options or = unsubscribe:</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"https://lists.sourceforge.net/lists/listinfo/snort-users" = TARGET=3D"_blank">https://lists.sourceforge.net/lists/listinfo/snort-use= rs</A></FONT> <BR><FONT SIZE=3D2>Snort-users list archive:</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users" = TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-u= sers</A></FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C437FF.61FE57AD-- ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...rom=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
