[Snort-users] Configuration issue

John Berkers berjo at ...827...
Sun Sep 23 06:11:02 EDT 2001


Coffee as payment would be excellent!! ;^)

Where exactly are you sending your output?  I didn't see any output plugins
configured.

John Berkers.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Erek Adams
Sent: Sunday, 23 September 2001 6:44
To: DJDave Sobel
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Configuration issue


On Sat, 22 Sep 2001, DJDave Sobel wrote:

> Snort Users:
>
> Need a little help... I believe I have everything configured
> correctly... having built and installed snort 1.8.1, I have it running
> and configured for my network.  My network is divided into three major
> subnets, one with publically addressable IPs, and two private blocks.
>
> Despite the fact that I'm seeing multiple CodeRed and Nimba attacks in
> the web server logs, Snort does not seem to see them -- or certainly
> doesn't report them.  I'm not using anything more than the standard
> ruleset, so I'm not sure what I'm doing wrong.
>
> I've included my snort.conf below, and I execute snort with this
> command:
>
> /usr/local/bin/snort -c /usr/local/snort/snort.conf -dD
>
> I have removed the -dD and verified that snort does run, and with the
> -dD I can see it in the process list.
>
> Can anyone help?

[...snip...]

Maybe, if you pay us with coffee and beer.  ;-)

A couple of things:

	1)  grep -v # snort.conf |grep -v ^$    Gives you a nice clean cutdown
snort.conf.
	2)  Where is snort in your network?  Is it on a switch, 10/100
autosensing hub, plain vanilla hub?  Can it see _any_ traffic going to those
servers?

Check that snort can see those boxes by:  snort -dv host <webserver_IP>  and
then:
---
[erek at ...3560...]~>telnet route-server.cerf.net
Trying 134.24.38.246...
Connected to route-server.cerf.net.
Escape character is '^]'.

route-server>ping <webserver_ip>
Translating <webserver_ip> (192.102.249.3) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx.yyy.zzz.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/24 ms
route-server>quit
Connection closed by foreign host.
---

If you don't see the packets in the snort window, then something is amiss
with
the network setup/hardware, not with your snort.conf.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list