[Snort-users] snort isn't doing anything

Joe McAlerney joey at ...155...
Fri Sep 29 20:22:51 EDT 2000


This is a common mistake with snort beginners (I did the same thing). 
When you use -D, alerts are logged to /var/log/snort.alert.  I'm not
aware of a way to override this.  Your specified logging directory
should still have the source address directories of the hosts that
produced the alerts.

-Joe M.

Emre wrote:
> Hash: SHA1
> Hello folks,
> This is my first post on snort-users, so bear with me :)
> I've installed snort on my firewall/NAT box couple of days, and been struggling
> ever since to get it to work correctly.  The OS is OpenBSD 2.7, I've turned off
> ipfilter, so right now it's just a normal box without any firewalling.  Snort
> compiled fine and installed okay (except that I had to manually create
> /var/log/snort).  Here is what I use to start snort:
> snort -c /etc/snort.rules -i xl0 -l /var/log/snort -A full -v -D
> When I try to test snort, and see if it's even detecting any activity, nothing
> gets logged to /var/log/snort/alert.  I tried portscanning, connecting to POP3,
> trying the qpopper exploits, and asked friends to try something.  But snort
> logs nothing, or doesnt 'alert' at all.  When I take out -D and add -v for
> verbose, I can see traffic and such, so I'm sure it can see traffic passing
> though my ethernet.  I got the rule set from "Rules Database" from snort.org (I
> got about 800 rules, just for testing purposes).  Does anyone know why this is
> happening?  Any help is much appreciated...
> Cheers,
> Emre
> Version: PGP 6.5.8
> Comment: Fingerprint = 4FAF 6F70 B407 08AE 86EF AC0E 130E 932C 69C2 B37B
> iQA/AwUBOdTocxMOkyxpwrN7EQKpKACeOLkilrym58GKiFhlzatcF/fnUpMAoJJB
> 2ZIJRz3l8VVZ74sMB18QCByY
> =qanh
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

More information about the Snort-users mailing list