[Snort-users] Configuration issue

Erek Adams erek at ...577...
Sat Sep 22 13:45:01 EDT 2001

On Sat, 22 Sep 2001, DJDave Sobel wrote:

> Snort Users:
> Need a little help... I believe I have everything configured
> correctly... having built and installed snort 1.8.1, I have it running
> and configured for my network.  My network is divided into three major
> subnets, one with publically addressable IPs, and two private blocks.
> Despite the fact that I'm seeing multiple CodeRed and Nimba attacks in
> the web server logs, Snort does not seem to see them -- or certainly
> doesn't report them.  I'm not using anything more than the standard
> ruleset, so I'm not sure what I'm doing wrong.
> I've included my snort.conf below, and I execute snort with this
> command:
> /usr/local/bin/snort -c /usr/local/snort/snort.conf -dD
> I have removed the -dD and verified that snort does run, and with the
> -dD I can see it in the process list.
> Can anyone help?


Maybe, if you pay us with coffee and beer.  ;-)

A couple of things:

	1)  grep -v # snort.conf |grep -v ^$    Gives you a nice clean cutdown
	2)  Where is snort in your network?  Is it on a switch, 10/100
autosensing hub, plain vanilla hub?  Can it see _any_ traffic going to those

Check that snort can see those boxes by:  snort -dv host <webserver_IP>  and
[erek at ...3560...]~>telnet route-server.cerf.net
Connected to route-server.cerf.net.
Escape character is '^]'.

route-server>ping <webserver_ip>
Translating <webserver_ip> ( [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx.yyy.zzz.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/24 ms
Connection closed by foreign host.

If you don't see the packets in the snort window, then something is amiss with
the network setup/hardware, not with your snort.conf.

Good luck!

Erek Adams

More information about the Snort-users mailing list