[Snort-users] Clueless in Toronto

Rich Stryker rstryker at ...7794...
Thu Dec 19 12:40:06 EST 2002


Joel,

	Thank you for your help. I have not as yet figured out why it dies while logging to binary but I did get some logs created by SNORT. Those files couldn't be read by neither SNORT, WINDUMP nor a text editor the errors kept saying it wasn't a real file or something.

	I have also played around with the snort.conf file. If only I had read it a bit more... I had reconfigured the unifed binary output which explains the weird logfile names. I put the snort.conf back to its normal settings and now I get the alert.ids file. I now have to figure out how SNORTSNARF works. :-)

	I would like to get the binary working soon but I guess I should learn to crawl before I walk. Do you or anyone else know why SNORTSNARF doesn't return any output in HTML format? I have the alert.ids file in the directory SNORTSNARF was told to look into, as per the installation instructions from Silicon Defense, and I also have over 20 subfolders, labelled with IP addresses, so why does SNORTSNARF not show me anything?

	Is it because the only traffic on the network is ICMP stuff like PING and TRACERT and basic NT authentication?

Still Clueless but hopefully getting better....

Rich

-----Original Message-----
From: Joel Healy [mailto:Joel.Healy at ...7405...]
Sent: Thursday, December 19, 2002 2:38 PM
To: Rich Stryker
Subject: RE: [Snort-users] Clueless in Toronto


Hi Rich...

Can't think of any reasons of the top of my head why snort would die when
reconfigured to output to a unified binary file, perhaps filesystem
permissions of mis-configuration of a snort.conf parameter? To check your
configuration try starting snort in self testing verbose mode (snort -T -c
snort.conf) which may help.

When it comes to running snort on windows i have never had much success
installing it as a service, when i have it on W2K box i tend to run it as a
forground app..  I tend to prefer running it on a *nix host as it gives me a
bit more flexibilty in processing the output logs etc..

Also be aware that the unified binary output file can not be played back by
snort, this output format requires a seperate utility like Barnyard or the
such.  Easy mistake to make though as the TCPDUMP (or pcap) output options
are refered to as a binary log file, which can be played back by snort.

cheers

joel




More information about the Snort-users mailing list