[Snort-users] snort alert -stop working with snort.conf

John Sage jsage at ...2022...
Sun Jul 28 07:51:05 EDT 2002


Angela:

On Sat, Jul 27, 2002 at 08:18:20PM -0700, Cearns Angela wrote:
> Hi I've 2 simple questions:
> 
> 1. My snort alert was working fine for a while and
> stopped suddernly. It no longer logs port scan file to
> my portscan.log in /var/log/snort...nor does it log
> icmp large packets alert to my alert file in
> /var/log/snort.
> I'm using Red Hat Linux 7.3 2.4.18. and snort 1.8.6

So, *nothing* is alerting at all, or just not portscans and icmp large
packets?

What sort of connectivity do you have?

hmm..
 
[toot at ...2057... /]# host 128.198.172.82
82.172.198.128.in-addr.arpa. domain name pointer multimedia.cs.uccs.edu.

Do you have a new IP address assigned by DHCP every so often?


> I checked the snort.conf file and the homenet was
> configure correct (same as what I use for the -h
> option on command line).
> 
> When I run snort:
> snort -dev -l /var/log/snort -h 192.168.0.2/16 -c
> snort.conf
> 
> It didn't raise any error and it reads in all the
> rules.
> 
> When I run snort without the config file:
> snort -dev -l /var/log/snort
> - it accurately created the dest & source ip directory
> log the packets into those directories 
> 
> Any idea where I should look into the problem?
> 
> 2. After getting the alert working, I'd like to test
> every single one of the rules in snort but I don't
> know the various type of intrusion very well. Is there
> any test case available that can help me get start?
> (e.g. run a nmap -sS....and the portscan alert will be
> raise; run a ping ... and a xx alert will be rasie...)

Many of the snort rules look for symptoms of specific exploits.

You can't test for these without running a given exploit against your
system.

nmap will scan ports in various ways, but not test all snort rules, by
any means.

I'm not aware of any method to actually test each and every rule...


HTH..


- John
-- 
Why, yes, I talk to birds. I speak fluent finch.

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the Snort-users mailing list