From owner-freebsd-security Fri Jul 12 3: 1:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2F7837B401 for ; Fri, 12 Jul 2002 03:01:07 -0700 (PDT) Received: from mx1.mail.ru (mx1.mail.ru [194.67.57.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6684343E70 for ; Fri, 12 Jul 2002 03:01:04 -0700 (PDT) (envelope-from h-k@mail.ru) Received: from [194.84.56.194] (helo=elimar) by mx1.mail.ru with esmtp (Exim SMTP.1) id 17SxES-000Fr4-00 for freebsd-security@freebsd.org; Fri, 12 Jul 2002 14:01:00 +0400 Date: Fri, 12 Jul 2002 14:01:47 +0400 From: dawnshade X-Mailer: The Bat! (v1.60m) Reply-To: dawnshade X-Priority: 3 (Normal) Message-ID: <108568184025.20020712140147@mail.ru> To: freebsd-security@freebsd.org Subject: Re[4]: Snort problem. In-Reply-To: <1026465184.3d2e9da02c762@webmail.sambolian.net.nz> References: <60550254524.20020712090257@mail.ru> <20020712053845.GA89208@i-sphere.com> <29552793875.20020712094517@mail.ru> <1026465184.3d2e9da02c762@webmail.sambolian.net.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Andrew, Friday, July 12, 2002, 1:13:04 PM, you wrote: AT> Have you got any snort rules loaded? it will say that it has loaded x number of AT> rules when it starts up. I have been caught out before when it has not logged AT> anything, and it turned out that no rules were loaded. AT> --Andy AT> Quoting dawnshade : >> Hello faSty, >> >> Friday, July 12, 2002, 9:38:45 AM, you wrote: >> >> f> Did you check /var/log/messages because -s mean it goes directly syslogd >> send >> f> to /var/log/messages. Depend on what your syslogd.conf unless it is >> default >> f> syslogd.conf then check /var/log/messages. >> >> f> My snort on bridge look like: >> f> /usr/local/bin/snort -A full -D -e -d -s -i fxp1 -c >> /usr/local/etc/snort.conf >> >> f> -fasty >> >> f> On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote: >> >> I have a little problem: >> >> install, configure snort (1.8.6 (Build 105)). >> >> Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A full >> -d -D -l /usr/log/snort >> >> >> >> But the snort does nothing: not log or alert scans, portscans, >> >> etc.... >> >> >> >> thank all for advance. >> >> >> >> >> >> in syslog.conf i added these lines: >> >> LOG_ALERT /usr/log/snort.log >> LOG_AUTHPRIV /usr/log/snort.log >> >> In messages only starting message snort: >> >> Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled >> Jul 12 09:44:01 mx snort: Initializing daemon mode >> Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/ >> Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/" >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert >> plugin! >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert >> plugin! >> Jul 12 09:44:01 mx snort: limit == 128 >> Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log >> Jul 12 09:44:02 mx snort[21582]: Snort initialization completed successfully, >> Snort running >> No, snorts "talks" only these line: >> Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled >> Jul 12 09:44:01 mx snort: Initializing daemon mode >> Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/ >> Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/" >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert >> plugin! >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert >> plugin! >> Jul 12 09:44:01 mx snort: limit == 128 >> Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log >> Jul 12 09:44:02 mx snort[21582]: Snort initialization completed successfully, >> Snort running -- Best regards, dawnshade mailto:h-k@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message