[Snort-sigs] Only an empty Alert file :(

Dean Farwood dean_farwood at ...1143...
Sun Mar 11 18:40:34 EDT 2012



I'm running Snort (Build 121) on Ubuntu 11.10 with 3.0.0-16-generic


I have written the following rule called /etc/snort/rules/password.rules:


alert tcp any any <> any (content:"password"; msg:"Potential
Password Violation"; sid: 11995522;)


My snort command is:

snort -dev -c /etc/snort/snort.conf -l /etc/snort/log2 -K ascii


I then transfer a file with the word "password" in it from the Linux system
to a Windows system using Samba. The packets are captured as evidenced by
the terminal display. The Windows system successfully authenticates to Samba
and the file can be viewed on the Windows system.


PROBLEM: No directories are created in the /etc/snort/log2 directories. Only
an empty "Alert" file appears.


If I run a command like:


snort -dev -l /etc/snort/log2 -K ascii


I get normal logging directories with IP address directory names etc.


This command also results in nothing in /etc/snort/log2 except the empty
alert file.

snort -dev -c /etc/snort/rules/password.rules -l /etc/snort/log2 -K ascii


REQUEST: Any help I can get to allow proper logging when using the -c option
would be much appreciated.











snort -dev -c /etc/snort/snort.conf -l /etc/snort/log2 -K ascii

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120311/9fa614d8/attachment.html>

More information about the Snort-sigs mailing list