[Snort-users] Why does snort not always post to the x.x.x subdirectory?

Bill Pennington billp at ...56...
Thu Nov 2 10:28:40 EST 2000


Most likely you are not running snort with the -d switch to capture packet
contents.


----- Original Message -----
From: "Bob Fawcett" <bobf at ...739...>
To: <snort-users at lists.sourceforge.net>
Sent: Wednesday, November 01, 2000 1:28 PM
Subject: [Snort-users] Why does snort not always post to the x.x.x
subdirectory?


> I am brand new to snort.
> I have snort 1.6.3 running on an NT 4.0 workstation with a nearly
> stock copy of rules 10102k.
> I get an alert in the alert.ids file but no decode in net.net.subnet
> directory.  This only happens for a few rules, most of the rules create
> the subdirectory in the log directory as expected.
>
> A specific example:
> when this rule triggers
>  alert TCP !$HOME_NET any -> $HOME_NET 2301 (msg:"IDS244 -
> CVE-1999-0771 - Compaq-insight-dot-dot"; content: "../"; )
> I get no subdirectory for the IP that triggered it. The IP is in my
> alerts.ids file. (The rules are all one line long - wrap is for email).
>
> Thanks for any help
>
> Bob F
> 80 FLT "The Original Road King"
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list