Re: [Snort-users] Acid shows sensors as 0
This is a discussion on Re: [Snort-users] Acid shows sensors as 0 within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------_=_NextPart_001_01C4D1A2.474309CB Content-Type: text/plain; charset="us-ascii&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-23-2004
|
|||
|
|||
Re: [Snort-users] Acid shows sensors as 0
This is a multi-part message in MIME format.
------_=_NextPart_001_01C4D1A2.474309CB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Use nmap or something to do a scan against the box or a short range of = IPs on your network and see if snort detects anything.=20 -----Original Message----- From: snort-users-admin@lists.sourceforge.net = <snort-users-admin@lists.sourceforge.net> To: Kevin Johnson <kjohnson@secureideas.net> CC: Snort Users <snort-users@lists.sourceforge.net> Sent: Tue Nov 23 14:31:11 2004 Subject: Re: [Snort-users] Acid shows sensors as 0 Maybe that might be it. How can I test that is really doing something ?=20 On Tue, 23 Nov 2004 15:28:03 -0500, Kevin Johnson <kjohnson@secureideas.net> wrote: > On Tue, 2004-11-23 at 15:21, Gentian Hila wrote: >=20 >=20 > > The line that configures snort to connect in snort.conf is = uncommented > > and is like this: > > > > output database: log, mysql, user=3Dsnort password=3D****** > > dbname=3Dsnort host=3Dlocalhost > > > > (****** is the password) and snort connects as snort user in Mysql > > and db name in mysql is snort. > > > > I have an empty event table. > > > > mysql> select * from event; > > Empty set (0.00 sec) > > > > My question is: when you setup snort and acid, is it supposed to = work > > normally or do you have to configure other stuff and rules. My guess > > is that it should work, even though it might need to be tuned. But > > that's another story. >=20 > It should work normally. How long has Snort been running? I would = have > to guess that it hasn't seen anything that it considered something to > alert on. Until it sees something, for example someone accessing a = web > server and trying to get cmd.exe, that your rules would fire on, it > doesn't report anything for ACID/BASE to display. >=20 >=20 >=20 > Kevin > ------------------- > BASE Project Lead > http://sourceforge.net/projects/secureideas > http://base.secureideas.net > The next step in IDS analysis! >=20 >=20 > ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now.=20 http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...=3Dsnort-users ------_=_NextPart_001_01C4D1A2.474309CB Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <TITLE>Re: [Snort-users] Acid shows sensors as 0</TITLE> </HEAD> <BODY> <!-- Converted from text/plain format --> <P><FONT SIZE=3D2>Use nmap or something to do a scan against the box or = a short range of IPs on your network and see if snort detects = anything.<BR> <BR> <BR> <BR> <BR> -----Original Message-----<BR> From: snort-users-admin@lists.sourceforge.net = <snort-users-admin@lists.sourceforge.net><BR> To: Kevin Johnson <kjohnson@secureideas.net><BR> CC: Snort Users <snort-users@lists.sourceforge.net><BR> Sent: Tue Nov 23 14:31:11 2004<BR> Subject: Re: [Snort-users] Acid shows sensors as 0<BR> <BR> Maybe that might be it. How can I test that is really doing something = ?<BR> <BR> <BR> On Tue, 23 Nov 2004 15:28:03 -0500, Kevin Johnson<BR> <kjohnson@secureideas.net> wrote:<BR> > On Tue, 2004-11-23 at 15:21, Gentian Hila wrote:<BR> ><BR> ><BR> > > The line that configures snort to connect in snort.conf is = uncommented<BR> > > and is like this:<BR> > ><BR> > > output database: log, mysql, user=3Dsnort = password=3D******<BR> > > dbname=3Dsnort host=3Dlocalhost<BR> > ><BR> > > (****** is the password) and snort connects as snort = user in Mysql<BR> > > and db name in mysql is snort.<BR> > ><BR> > > I have an empty event table.<BR> > ><BR> > > mysql> select * from event;<BR> > > Empty set (0.00 sec)<BR> > ><BR> > > My question is: when you setup snort and acid, is it supposed = to work<BR> > > normally or do you have to configure other stuff and rules. My = guess<BR> > > is that it should work, even though it might need to be tuned. = But<BR> > > that's another story.<BR> ><BR> > It should work normally. How long has Snort been = running? I would have<BR> > to guess that it hasn't seen anything that it considered something = to<BR> > alert on. Until it sees something, for example someone = accessing a web<BR> > server and trying to get cmd.exe, that your rules would fire = on, it<BR> > doesn't report anything for ACID/BASE to display.<BR> ><BR> ><BR> ><BR> > Kevin<BR> > -------------------<BR> > BASE Project Lead<BR> > <A = HREF=3D"http://sourceforge.net/projects/secureideas">http://sourceforge.n= et/projects/secureideas</A><BR> > <A = HREF=3D"http://base.secureideas.net">http://base.secureideas.net</A><BR> > The next step in IDS analysis!<BR> ><BR> ><BR> ><BR> <BR> <BR> -------------------------------------------------------<BR> SF email is sponsored by - The IT Product Guide<BR> Read honest & candid reviews on hundreds of IT Products from real = users.<BR> Discover which products truly live up to the hype. Start reading = now.<BR> <A = HREF=3D"http://productguide.itmanagersjournal.com/">http://productguide.i= tmanagersjournal.com/</A><BR> _______________________________________________<BR > Snort-users mailing list<BR> Snort-users@lists.sourceforge.net<BR> Go to this URL to change user options or unsubscribe:<BR> <A = HREF=3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https:/= /lists.sourceforge.net/lists/listinfo/snort-users</A><BR> Snort-users list archive:<BR> <A = HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users">http:= //www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</A><BR> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C4D1A2.474309CB-- ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
