[Snort-users] snort alert -stop working with snort.conf

twig les twigles at ...131...
Mon Jul 29 09:33:15 EDT 2002


Any security scanner like nessus or whisker (which
nessus uses).

--- Cearns Angela <acearns at ...131...> wrote:
> No, nothing is alerting. I don't know how to test a
> lot of the rules. But I tried nmap, ping -l, and I'm
> also testing the Stacheldraht attack, no alert. What
> else can I try?
> 
> but -l without -c snort.conf works.
> 
> I've static ip for all my computers. 
> 
> Thanks,
> Ang
> 
> 
> --- John Sage <jsage at ...2022...> wrote:
> > Angela:
> > 
> > On Sat, Jul 27, 2002 at 08:18:20PM -0700, Cearns
> > Angela wrote:
> > > Hi I've 2 simple questions:
> > > 
> > > 1. My snort alert was working fine for a while
> and
> > > stopped suddernly. It no longer logs port scan
> > file to
> > > my portscan.log in /var/log/snort...nor does it
> > log
> > > icmp large packets alert to my alert file in
> > > /var/log/snort.
> > > I'm using Red Hat Linux 7.3 2.4.18. and snort
> > 1.8.6
> > 
> > So, *nothing* is alerting at all, or just not
> > portscans and icmp large
> > packets?
> > 
> > What sort of connectivity do you have?
> > 
> > hmm..
> >  
> > [toot at ...2057... /]# host 128.198.172.82
> > 82.172.198.128.in-addr.arpa. domain name pointer
> > multimedia.cs.uccs.edu.
> > 
> > Do you have a new IP address assigned by DHCP
> every
> > so often?
> > 
> > 
> > > I checked the snort.conf file and the homenet
> was
> > > configure correct (same as what I use for the -h
> > > option on command line).
> > > 
> > > When I run snort:
> > > snort -dev -l /var/log/snort -h 192.168.0.2/16
> -c
> > > snort.conf
> > > 
> > > It didn't raise any error and it reads in all
> the
> > > rules.
> > > 
> > > When I run snort without the config file:
> > > snort -dev -l /var/log/snort
> > > - it accurately created the dest & source ip
> > directory
> > > log the packets into those directories 
> > > 
> > > Any idea where I should look into the problem?
> > > 
> > > 2. After getting the alert working, I'd like to
> > test
> > > every single one of the rules in snort but I
> don't
> > > know the various type of intrusion very well. Is
> > there
> > > any test case available that can help me get
> > start?
> > > (e.g. run a nmap -sS....and the portscan alert
> > will be
> > > raise; run a ping ... and a xx alert will be
> > rasie...)
> > 
> > Many of the snort rules look for symptoms of
> > specific exploits.
> > 
> > You can't test for these without running a given
> > exploit against your
> > system.
> > 
> > nmap will scan ports in various ways, but not test
> > all snort rules, by
> > any means.
> > 
> > I'm not aware of any method to actually test each
> > and every rule...
> > 
> > 
> > HTH..
> > 
> > 
> > - John
> > -- 
> > Why, yes, I talk to birds. I speak fluent finch.
> > 
> > PGP key     
> > http://www.finchhaven.com/pages/gpg_pubkey.html
> > Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0
> 8E
> > 0C D0 BE C8 38 CC B5 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
> 
> 
>
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
All warfare is based on deception.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com




More information about the Snort-users mailing list