[Snort-users] newbie snort user on windows xp needs help please

Scott Weeks surfer at ...6173...
Fri Jun 28 12:40:03 EDT 2002

Hello everyone,

Hopefully useful info for the other newbie users of IDS and Snort...  I
had downloaded the program from snort.org, but the documentation I was
looking for is located at www.packx.net.  It explains a lot of the
questions that I was having.  Thanks to Michael for his help and to the
list members for your time and mailbox space...  :-)


On Wed, 26 Jun 2002, Michael Steele wrote:

: Scott,
: The way you are running Snort will not allow Snort to generate alerts to
: the screen.
: The rules are correct and you should be generating an enormous amount of
: traffic. Use your browser to generate the traffic. Make sure you have
: activated your custom rules in your Snort.conf. Also, when you add
: rules, be sure to restart snort.
: After you run snort and generate some traffic, stop snort and use a text
: editor to check your alert.ids file and see if there are alerts being
: entered. They will be time stamped.
: If you really want to get the feel of Snort and have a better
: understanding of how things work, you might want to do a manual install.
: All the programs you are using are available outside of the installer.
: There is a LOT of documentation out there for Snort and Windows, but not
: nearly as much as there are for *nix. Try doing a search on google for
: some key words or phrases.
: Also, I have never used that installer so some of the above may not
: apply.
: -Michael
:  Michael Steele | System Engineer / Support Technician
:  mailto:michaels at ...155...
:  Silicon Defense: IDS solutions - http://www.silicondefense.com
:  Snort: Open Source Network IDS - http://www.snort.org
: -----Original Message-----
: From: Scott Weeks [mailto:surfer at ...6173...]
: Sent: June 26, 2002 8:22 PM
: To: Michael Steele
: Cc: snort-users at lists.sourceforge.net
: Subject: RE: [Snort-users] newbie snort user on windows xp needs help
: please
: On Wed, 26 Jun 2002, Michael Steele wrote:
: : Scott,
: :
: : There are a multitude of new people visiting this list every day, or I
: : would hope. The information, no matter how trivial will help someone.
: It
: : will also help people to better understand Snort and what works and
: what
: : doesn't work and hopefully that knowledge will better the Snort
: : community.
: :
: : How I usually, and I'm sure most of the tech's that monitor this list
: : deal with posting is; not only to reply back to the list but to CC the
: : poster so he or she can get the required information the quickest
: : possible way.
: Hello list members,
: Here's the gist of my problem...
: I am finding documentation for windows lacking.  I'm using XP Home
: Edition
: (unfortunately) and IDScenter 1.09 Beta 1.3.  (Beta.  Maybe that's my
: problem?) on my home computer, so I can get used to using SNORT in
: preparation for an interview I have coming up.  Just to get some traffic
: generated I put in the following rules:
:    log tcp any any <> any any (msg: "test";)
:    alert tcp any any <> any any (msg: "test";)
: These are in the "IDS rules" part of the GUI interface.  In the
: "Logs/Alerts" section I left the path unchanged:
:    C:\Program Files\IDS_systems\Sourcefire\log\alert.ids
: In the "General Setup" window I click on "Create Script" and
: everything's
: OK. For the IP I use the "Select" button and check with the "Command
: Prompt" (DOS screen) using the ipconfig command, so I know it's the
: correct one.  (My ISP uses DHCP)  I also used the "Test Configuration"
: button for sanity's sake.  All is good.
: When I click "Start Snort" a DOS window opens up and remains open.  I'm
: assuming that the "alert" rule should cause things to show up in that
: window and the "log" rule should cause the same entries to show up in
: the
: "alert.ids" file and those should be able to be seen when clicking on
: the
: "View Alerts" button.  However nothing shows up on the DOS screen nor
: does
: anything show up in the "View Alerts" window when I put the path to the
: file "C:\Program Files\IDS_systems\Sourcefire\log\alert.ids" in the
: "Search alert log" box.
: Thanks,
: scott

More information about the Snort-users mailing list