[Snort-users] snort alert -stop working with snort.conf

Cearns Angela acearns at ...131...
Sun Jul 28 12:23:12 EDT 2002


No, nothing is alerting. I don't know how to test a
lot of the rules. But I tried nmap, ping -l, and I'm
also testing the Stacheldraht attack, no alert. What
else can I try?

but -l without -c snort.conf works.

I've static ip for all my computers. 

Thanks,
Ang


--- John Sage <jsage at ...2022...> wrote:
> Angela:
> 
> On Sat, Jul 27, 2002 at 08:18:20PM -0700, Cearns
> Angela wrote:
> > Hi I've 2 simple questions:
> > 
> > 1. My snort alert was working fine for a while and
> > stopped suddernly. It no longer logs port scan
> file to
> > my portscan.log in /var/log/snort...nor does it
> log
> > icmp large packets alert to my alert file in
> > /var/log/snort.
> > I'm using Red Hat Linux 7.3 2.4.18. and snort
> 1.8.6
> 
> So, *nothing* is alerting at all, or just not
> portscans and icmp large
> packets?
> 
> What sort of connectivity do you have?
> 
> hmm..
>  
> [toot at ...2057... /]# host 128.198.172.82
> 82.172.198.128.in-addr.arpa. domain name pointer
> multimedia.cs.uccs.edu.
> 
> Do you have a new IP address assigned by DHCP every
> so often?
> 
> 
> > I checked the snort.conf file and the homenet was
> > configure correct (same as what I use for the -h
> > option on command line).
> > 
> > When I run snort:
> > snort -dev -l /var/log/snort -h 192.168.0.2/16 -c
> > snort.conf
> > 
> > It didn't raise any error and it reads in all the
> > rules.
> > 
> > When I run snort without the config file:
> > snort -dev -l /var/log/snort
> > - it accurately created the dest & source ip
> directory
> > log the packets into those directories 
> > 
> > Any idea where I should look into the problem?
> > 
> > 2. After getting the alert working, I'd like to
> test
> > every single one of the rules in snort but I don't
> > know the various type of intrusion very well. Is
> there
> > any test case available that can help me get
> start?
> > (e.g. run a nmap -sS....and the portscan alert
> will be
> > raise; run a ping ... and a xx alert will be
> rasie...)
> 
> Many of the snort rules look for symptoms of
> specific exploits.
> 
> You can't test for these without running a given
> exploit against your
> system.
> 
> nmap will scan ports in various ways, but not test
> all snort rules, by
> any means.
> 
> I'm not aware of any method to actually test each
> and every rule...
> 
> 
> HTH..
> 
> 
> - John
> -- 
> Why, yes, I talk to birds. I speak fluent finch.
> 
> PGP key     
> http://www.finchhaven.com/pages/gpg_pubkey.html
> Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E
> 0C D0 BE C8 38 CC B5 


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com




More information about the Snort-users mailing list