Date: Fri, 12 Jul 2002 18:25:48 +0800 From: Calvin NG <calvinng@brel.com> To: freebsd-security@FreeBSD.ORG Subject: Re: Snort problem. Message-ID: <20020712102548.GH21554@brel.com> In-Reply-To: <108568184025.20020712140147@mail.ru> References: <60550254524.20020712090257@mail.ru> <20020712053845.GA89208@i-sphere.com> <29552793875.20020712094517@mail.ru> <1026465184.3d2e9da02c762@webmail.sambolian.net.nz> <108568184025.20020712140147@mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings, I am assuming we are not talking about a switched network here. And that the listen interface (cp0) can actually see all traffic. run it in tcpdump mode, and see that it really is collecting network data. or, deliberately run a probe/scan against host mx and see if snort generates an alert. Regards, /calvin lines with :> are quotes from dawnshade's email :> Hello Andrew, :> :> Friday, July 12, 2002, 1:13:04 PM, you wrote: :> :> AT> Have you got any snort rules loaded? it will say that it has loaded x number of :> AT> rules when it starts up. I have been caught out before when it has not logged :> AT> anything, and it turned out that no rules were loaded. :> :> :> AT> --Andy :> :> :> >> f> On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote: :> >> >> I have a little problem: :> >> >> install, configure snort (1.8.6 (Build 105)). :> >> >> Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A full :> >> -d -D -l /usr/log/snort :> >> >> :> >> >> But the snort does nothing: not log or alert scans, portscans, :> >> >> etc.... :> >> >> :> >> >> thank all for advance. :> >> >> :> >> >> :> >> :> :> No, snorts "talks" only these line: :> :> >> Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled :> >> Jul 12 09:44:01 mx snort: Initializing daemon mode :> >> Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/ :> >> Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/" :> >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert :> >> plugin! :> >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert :> >> plugin! :> >> Jul 12 09:44:01 mx snort: limit == 128 :> >> Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log :> >> Jul 12 09:44:02 mx snort[21582]: Snort initialization completed successfully, :> >> Snort running :> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020712102548.GH21554>