From owner-freebsd-security Fri Jul 12 3:25:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27D9037B400 for ; Fri, 12 Jul 2002 03:25:52 -0700 (PDT) Received: from hobbits.brel.com (hobbits.brel.com [203.127.231.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1272243E42 for ; Fri, 12 Jul 2002 03:25:51 -0700 (PDT) (envelope-from calvinng@brel.com) Received: by hobbits.brel.com (Postfix, from userid 1001) id 4E764330D; Fri, 12 Jul 2002 18:25:48 +0800 (SGT) Date: Fri, 12 Jul 2002 18:25:48 +0800 From: Calvin NG To: freebsd-security@FreeBSD.ORG Subject: Re: Snort problem. Message-ID: <20020712102548.GH21554@brel.com> References: <60550254524.20020712090257@mail.ru> <20020712053845.GA89208@i-sphere.com> <29552793875.20020712094517@mail.ru> <1026465184.3d2e9da02c762@webmail.sambolian.net.nz> <108568184025.20020712140147@mail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <108568184025.20020712140147@mail.ru> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings, I am assuming we are not talking about a switched network here. And that the listen interface (cp0) can actually see all traffic. run it in tcpdump mode, and see that it really is collecting network data. or, deliberately run a probe/scan against host mx and see if snort generates an alert. Regards, /calvin lines with :> are quotes from dawnshade's email :> Hello Andrew, :> :> Friday, July 12, 2002, 1:13:04 PM, you wrote: :> :> AT> Have you got any snort rules loaded? it will say that it has loaded x number of :> AT> rules when it starts up. I have been caught out before when it has not logged :> AT> anything, and it turned out that no rules were loaded. :> :> :> AT> --Andy :> :> :> >> f> On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote: :> >> >> I have a little problem: :> >> >> install, configure snort (1.8.6 (Build 105)). :> >> >> Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A full :> >> -d -D -l /usr/log/snort :> >> >> :> >> >> But the snort does nothing: not log or alert scans, portscans, :> >> >> etc.... :> >> >> :> >> >> thank all for advance. :> >> >> :> >> >> :> >> :> :> No, snorts "talks" only these line: :> :> >> Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled :> >> Jul 12 09:44:01 mx snort: Initializing daemon mode :> >> Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/ :> >> Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/" :> >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert :> >> plugin! :> >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert :> >> plugin! :> >> Jul 12 09:44:01 mx snort: limit == 128 :> >> Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log :> >> Jul 12 09:44:02 mx snort[21582]: Snort initialization completed successfully, :> >> Snort running :> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message