[Snort-users] Configuration issue
erek at ...577...
Sat Sep 22 13:45:01 EDT 2001
On Sat, 22 Sep 2001, DJDave Sobel wrote:
> Snort Users:
> Need a little help... I believe I have everything configured
> correctly... having built and installed snort 1.8.1, I have it running
> and configured for my network. My network is divided into three major
> subnets, one with publically addressable IPs, and two private blocks.
> Despite the fact that I'm seeing multiple CodeRed and Nimba attacks in
> the web server logs, Snort does not seem to see them -- or certainly
> doesn't report them. I'm not using anything more than the standard
> ruleset, so I'm not sure what I'm doing wrong.
> I've included my snort.conf below, and I execute snort with this
> /usr/local/bin/snort -c /usr/local/snort/snort.conf -dD
> I have removed the -dD and verified that snort does run, and with the
> -dD I can see it in the process list.
> Can anyone help?
Maybe, if you pay us with coffee and beer. ;-)
A couple of things:
1) grep -v # snort.conf |grep -v ^$ Gives you a nice clean cutdown
2) Where is snort in your network? Is it on a switch, 10/100
autosensing hub, plain vanilla hub? Can it see _any_ traffic going to those
Check that snort can see those boxes by: snort -dv host <webserver_IP> and
[erek at ...3560...]~>telnet route-server.cerf.net
Connected to route-server.cerf.net.
Escape character is '^]'.
Translating <webserver_ip> (126.96.36.199) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx.yyy.zzz.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/24 ms
Connection closed by foreign host.
If you don't see the packets in the snort window, then something is amiss with
the network setup/hardware, not with your snort.conf.
More information about the Snort-users