[Snort-users] snort alert -stop working with snort.conf
acearns at ...131...
Sun Jul 28 12:23:12 EDT 2002
No, nothing is alerting. I don't know how to test a
lot of the rules. But I tried nmap, ping -l, and I'm
also testing the Stacheldraht attack, no alert. What
else can I try?
but -l without -c snort.conf works.
I've static ip for all my computers.
--- John Sage <jsage at ...2022...> wrote:
> On Sat, Jul 27, 2002 at 08:18:20PM -0700, Cearns
> Angela wrote:
> > Hi I've 2 simple questions:
> > 1. My snort alert was working fine for a while and
> > stopped suddernly. It no longer logs port scan
> file to
> > my portscan.log in /var/log/snort...nor does it
> > icmp large packets alert to my alert file in
> > /var/log/snort.
> > I'm using Red Hat Linux 7.3 2.4.18. and snort
> So, *nothing* is alerting at all, or just not
> portscans and icmp large
> What sort of connectivity do you have?
> [toot at ...2057... /]# host 18.104.22.168
> 22.214.171.124.in-addr.arpa. domain name pointer
> Do you have a new IP address assigned by DHCP every
> so often?
> > I checked the snort.conf file and the homenet was
> > configure correct (same as what I use for the -h
> > option on command line).
> > When I run snort:
> > snort -dev -l /var/log/snort -h 192.168.0.2/16 -c
> > snort.conf
> > It didn't raise any error and it reads in all the
> > rules.
> > When I run snort without the config file:
> > snort -dev -l /var/log/snort
> > - it accurately created the dest & source ip
> > log the packets into those directories
> > Any idea where I should look into the problem?
> > 2. After getting the alert working, I'd like to
> > every single one of the rules in snort but I don't
> > know the various type of intrusion very well. Is
> > any test case available that can help me get
> > (e.g. run a nmap -sS....and the portscan alert
> will be
> > raise; run a ping ... and a xx alert will be
> Many of the snort rules look for symptoms of
> specific exploits.
> You can't test for these without running a given
> exploit against your
> nmap will scan ports in various ways, but not test
> all snort rules, by
> any means.
> I'm not aware of any method to actually test each
> and every rule...
> - John
> Why, yes, I talk to birds. I speak fluent finch.
> PGP key
> Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E
> 0C D0 BE C8 38 CC B5
Do You Yahoo!?
Yahoo! Health - Feel better, live better
More information about the Snort-users