[Snort-users] Configuration issue
berjo at ...827...
Sun Sep 23 06:11:02 EDT 2001
Coffee as payment would be excellent!! ;^)
Where exactly are you sending your output? I didn't see any output plugins
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Erek Adams
Sent: Sunday, 23 September 2001 6:44
To: DJDave Sobel
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Configuration issue
On Sat, 22 Sep 2001, DJDave Sobel wrote:
> Snort Users:
> Need a little help... I believe I have everything configured
> correctly... having built and installed snort 1.8.1, I have it running
> and configured for my network. My network is divided into three major
> subnets, one with publically addressable IPs, and two private blocks.
> Despite the fact that I'm seeing multiple CodeRed and Nimba attacks in
> the web server logs, Snort does not seem to see them -- or certainly
> doesn't report them. I'm not using anything more than the standard
> ruleset, so I'm not sure what I'm doing wrong.
> I've included my snort.conf below, and I execute snort with this
> /usr/local/bin/snort -c /usr/local/snort/snort.conf -dD
> I have removed the -dD and verified that snort does run, and with the
> -dD I can see it in the process list.
> Can anyone help?
Maybe, if you pay us with coffee and beer. ;-)
A couple of things:
1) grep -v # snort.conf |grep -v ^$ Gives you a nice clean cutdown
2) Where is snort in your network? Is it on a switch, 10/100
autosensing hub, plain vanilla hub? Can it see _any_ traffic going to those
Check that snort can see those boxes by: snort -dv host <webserver_IP> and
[erek at ...3560...]~>telnet route-server.cerf.net
Connected to route-server.cerf.net.
Escape character is '^]'.
Translating <webserver_ip> (188.8.131.52) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx.yyy.zzz.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/24 ms
Connection closed by foreign host.
If you don't see the packets in the snort window, then something is amiss
the network setup/hardware, not with your snort.conf.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users