[Snort-users] New Install

Michael Steele michaels at ...155...
Wed Jun 19 22:12:02 EDT 2002


Bill,

Make sure your rules are being detected.

Run this from a command prompt

Snort -c full_path\snort.conf -l full_path\logs

The output will tell you if it's reading in the rules. You will need to
CTRL/C to exit.

Michael Steele | System Engineer / System Administrator     
mailto:michaels at ...155...
http://www.silicondefense.com


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Infinity
Sent: June 19, 2002 5:29 PM
To: Michael Steele
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] New Install

Thanks for the quick response.

I have a logs directory in place.
Problem is that even though I scan my SNORT Sensor
with LANGuard the ONLY alerts i see in alert.ids are
X.11 traffic being shown as generated from SNORT
sensor --> scanning machine.  The port scan, Netbios
Enum, Proxy check etc... are not showing up in the IDS
log.

Shouldnt var HOME_NET any   and   var EXTERNAL_NET any
and all the standard snort.conf include statements
insure various triggers should show up in my
alerts.ids file?

I'm just wondering why the traffic from the scanning
machine is not being ID'd by the rule sets.  The
inteface sees it because with -dev I see it on my
screen.

Thanks Michael.

~Bill
--- Michael Steele <michaels at ...155...>
wrote:
> Infinity,
> 
> Create a folder c:\logs
> 
> Cd to wherever you have snort and run this line:
> 
> Snort -c snort.conf -l c:\logs
> 
> Start snort and you should have an alert.ids file in
> the new logs folder
> 
> -Michael
> --
>  Michael Steele | System Engineer / Support
> Technician
>  mailto:michaels at ...155...
>  Silicon Defense: IDS solutions -
> http://www.silicondefense.com
>  Snort: Open Source Network IDS -
> http://www.snort.org
> 
> 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On
> Behalf Of Infinity
> Sent: Wednesday, June 19, 2002 3:03 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] New Install
> 
> Hello list:
> 
> 
> A New install of Snort Version 1.8.7b119 - Windows
> Release on Win2k Server.  No modifications of
> snort.conf. Run from command line as follows > 
> snort
> -dev -c snort.conf
> 
> *Side Note:  I had the same snort -W problem as
> several other posters. I traced it to my Cisco VPN
> Client,which I had uninstall. After I uninstalled
> the
> VPN client - No Problem.  The VPN client had no
> affect
> on Sniffer Pro,or ethereal.  I had a similar problem
> on a machine that was using PGP*
> 
> 
> My question:
> 
> I see all traffic on screen when I scan the snort
> sensor.  But no alerts are logged.  Using LANGuard
> Network Scanner to scan the SNORT sensor, it only
> catches four X.11 events.  It does not catch the
> NetBios enumerations, port scans, etc.  It doesnt
> even
> trigger when i run a ping -t against it.  According
> to
> the ICMP rules, shouldnt that at least trigger an
> alert?
> 
> Shouldn't this vanilla install trigger like Mad? 
> With
> HOME_NET any and EXTERNAL_NET any??
> 
> I see the traffic scrolling up my screen, so the
> interface is catching the packets. I CTL C the
> session
> and the summary shows 4 alerts (ALL X.11 alerts) 
> And
> the traffic in the alert log file  is shown as
> having
> originated from the snort machine -> scanning
> machine.
> 
> HELP!!!  I'm a first time user, I've read through
> all
> the docs, and I thought my snort install should be
> going nuts when I scan it.
> 
> :(
> 
> TIA.
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
> 
>
------------------------------------------------------------------------
> ----
>                    Bringing you mounds of
> caffeinated joy
>                    >>>     http://thinkgeek.com/sf  
>  <<<
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com


-------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list