[Snort-users] Snort not logging on FreeBSD

Stuart Larson bouche at ...375...
Mon Mar 26 11:46:12 EST 2001

Maybe I live in a quiet corner of the net, but it doesn't seem like Snort is
logging anything.  I'm on a FreeBSD system and I'm using version snort-1.7
from ports.  I downloaded the vision.conf rulseset and made only minor
changes to it (I changed INTERNAL to "var INTERNAL" and EXTERNAL
to "var EXTERNAL !" -- I have two interfaces.  dc0 is external
and is given an IP address by DHCP.  dc1 is internal and has a
address space (it's  I call snort with:

    /usr/local/bin/snort -Dde -A full -c /usr/local/share/snort/vision.conf

The ONLY time I've seen snort log ANYTHING was when I did a nessus scan of
another computer on our school network.  That was the one time I've seen
logging.  I've done other nessus scans of other computers on the network,
and have not seen any logging from those scans.

For other information:

berton:[/usr/local/share/snort]$ uname -a
FreeBSD berton.dyndns.org 4.3-BETA FreeBSD 4.3-BETA #3: Mon Mar 19 00:34:00
CST 2001     root at ...1670...:/usr/obj/usr/src/sys/PUDU  i386

dmesg output:

Copyright (c) 1992-2001 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD 4.3-BETA #3: Mon Mar 19 00:34:00 CST 2001
    root at ...1670...:/usr/obj/usr/src/sys/PUDU
Timecounter "i8254"  frequency 1193182 Hz
CPU: Pentium/P54C (132.96-MHz 586-class CPU)
  Origin = "GenuineIntel"  Id = 0x52b  Stepping = 11
real memory  = 50331648 (49152K bytes)
avail memory = 46469120 (45380K bytes)
Preloaded elf kernel "kernel" at 0xc028f000.
Intel Pentium detected, installing workaround for F00F bug
npx0: <math processor> on motherboard
npx0: INT 16 interface
pcib0: <Host to PCI bridge> on motherboard
pci0: <PCI bus> on pcib0
isab0: <Intel 82371FB PCI to ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel PIIX ATA controller> port 0xffa0-0xffaf at device 7.1 on
ata0: at 0x1f0 irq 14 on atapci0
ata1: at 0x170 irq 15 on atapci0
dc0: <LC82C115 PNIC II 10/100BaseTX> port 0xf800-0xf8ff mem
0xfffbf800-0xfffbf8ff irq 9 at device 13.0 on pci0
dc0: Ethernet address: 00:a0:cc:e7:7b:a4
miibus0: <MII bus> on dc0
dcphy0: <Intel 21143 NWAY media interface> on miibus0
dcphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
dc1: <ADMtek AN985 10/100BaseTX> port 0xfc00-0xfcff mem
0xfffbfc00-0xfffbffff irq 10 at device 14.0 on pci0
dc1: Ethernet address: 00:20:78:1c:27:2a
miibus1: <MII bus> on dc1
ukphy0: <Generic IEEE 802.3u media interface> on miibus1
ukphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
pci0: <Matrox MGA Millennium 2064W graphics accelerator> at 15.0 irq 11
fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0
fdc0: FIFO enabled, 8 bytes threshold
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
kbd0 at atkbd0
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A
sio1: configured irq 3 not in bitmap of probed irqs 0
IP packet filtering initialized, divert enabled, rule-based forwarding
enabled, default to deny, logging limited to 100 packets/entry by default
IP Filter: v3.4.16 initialized.  Default = pass all, Logging = enabled
ad0: 12949MB <Maxtor 51369U3> [26310/16/63] at ata0-master WDMA2
acd0: CDROM <CREATIVE CD5233E> at ata1-master using WDMA2
Mounting root from ufs:/dev/ad0s1a
dc1: failed to force tx and rx to idle state
dc0: promiscuous mode enabled

Hopefully someone will be able to help me on this one.  Thanks for any help!

Stuart Larson

More information about the Snort-users mailing list