[Snort-users] Empty alert file, but big snort log and event database

Alain Tésio alain at ...2260...
Wed Jun 13 15:00:49 EDT 2001


Hi,

Here is the content from /var/log/snort :

20:05:45 root /var/log/snort #ls -l
total 1592
-rw-------    1 snort    snort         988 May 26 16:44 0526 at ...2261...
-rw-------    1 root     root           24 May 26 19:38 0526 at ...2262...
-rw-------    1 root     root           24 May 26 19:39 0526 at ...2263...
-rw-------    1 root     root           24 Jun  1 20:03 0601 at ...2264...
-rw-------    1 root     root          268 Jun  1 20:07 0601 at ...2265...
-rw-------    1 root     root           24 Jun  1 20:08 0601 at ...2266...
-rw-------    1 root     root           24 Jun  1 20:11 0601 at ...2267...
-rw-------    1 root     root          268 Jun  1 20:28 0601 at ...2268...
-rw-------    1 root     root      1587939 Jun 13 19:35 0609 at ...2269...
-rw-------    1 snort    snort           0 May 26 16:23 alert
-rw-------    1 snort    snort           0 May 26 16:23 portscan.log
-rw-------    1 snort    snort          24 May 26 16:24 snort-0526 at ...2270...

Snort is now running as root :
20:05:47 root /var/log/snort #ps -eaf | grep snort
root     29893     1  0 Jun09 ?        00:00:32 snort -c /etc/snort/snort.conf -D

Why is there nothing in the file alert ?

I'm using the default configuration for snort 1.6 installed from source on
Linux Debian 2.2

The number of rows for each table in the mysql database is :

data 13911 
detail 2 
encoding 3 
event 13935 
icmphdr 13906 
iphdr 13935 
opt 96 
sensor 1 
tcphdr 24 
udphdr 5 

The kind of events are :

mysql> select distinct signature from event ;
+--------------------------------------------------------------------------+
| signature                                                                |
+--------------------------------------------------------------------------+
| ICMP Destination Unreachable (Communication Administratively Prohibited) |
| ICMP Destination Unreachable (Host Unreachable)                          |
| ICMP Destination Unreachable (Port Unreachable)                          |
| ICMP Echo Reply                                                          |
| ICMP Echo Request                                                        |
| ICMP Echo Request BSDtype                                                |
| ICMP Echo Request Windows                                                |
| ICMP Time-To-Live Exceeded in Transit                                    |
| ICMP traceroute                                                          |
| MISC source port 53 to <1024                                             |
| RPC portmap request rstatd                                               |
| SCAN Proxy attempt                                                       |
+--------------------------------------------------------------------------+
13 rows in set (0.54 sec)

I didn't find an answer in the manuals to this question : how can I get
some more informations from this data ?

Thanks,
Alain







More information about the Snort-users mailing list