[Snort-users] snort isn't doing anything

Martin Roesch roesch at ...421...
Mon Oct 2 15:01:31 EDT 2000


Emre wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello folks,
> 
> This is my first post on snort-users, so bear with me :)
> I've installed snort on my firewall/NAT box couple of days, and been struggling
> ever since to get it to work correctly.  The OS is OpenBSD 2.7, I've turned off
> ipfilter, so right now it's just a normal box without any firewalling.  Snort
> compiled fine and installed okay (except that I had to manually create
> /var/log/snort).  Here is what I use to start snort:
> 
> snort -c /etc/snort.rules -i xl0 -l /var/log/snort -A full -v -D

Yikes!  You shouldn't mix -v and -D, you're telling Snort to dump all packets
to the screen and then putting it in daemon mode!  How about running it in
plain mode for a bit to see if it's working or shutting down for some reason. 
Something like this:

snort -c /etc/snort.rules -i xl0 -A full

This will automatically log to /var/log/snort and dump any startup errors that
the program has right back to you.

You should also read the USAGE file!

> When I try to test snort, and see if it's even detecting any activity, nothing
> gets logged to /var/log/snort/alert.  I tried portscanning, connecting to POP3,
> trying the qpopper exploits, and asked friends to try something.  But snort
> logs nothing, or doesnt 'alert' at all.  When I take out -D and add -v for
> verbose, I can see traffic and such, so I'm sure it can see traffic passing
> though my ethernet.  I got the rule set from "Rules Database" from snort.org (I
> got about 800 rules, just for testing purposes).  Does anyone know why this is
> happening?  Any help is much appreciated...

Did you set the HOME_NET variable?

    -Marty

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list