[Snort-users] Help with a config file please?

snort at ...8664... snort at ...8664...
Fri Apr 4 12:49:03 EST 2003


Christopher,

Thanks for the info. I went ahead and changed those things (added Alert to
the list and enables portscan and portscan2 but I am still seeing no
alerts come up. I have all logging going to the same mysql db, and I use
adodb & ACID to run the reports.
I send nmap scans from one of my linux boxes w/ the following parameters

nmap –sS –O –P0 –v 1.2.3.4

nmap gets all the ports that the system has open just fine and it finger
prints the OS perfectly (Win XP Pro RC1 or later) but the system Acid
console shows nothing still. I used www.auditmypc.com to run a similar
scan and no alerts show, ditto w/ grc.com.

now just as info I have 2 lines in the conf file for the logging one that
sends log to mysql and another that sends alert to the same mysql db. Is
that permissible or do I have to stick to a single line?

Carlos


> I'm sure someone else already answered this, but here is my two cents:
>
> 1)  You do not specify an alert facility in your snort.conf.  So unless
> you
> have something that reads your MySQL database looking for new log events,
> you'll never get an alert.
>
> 2)  You have not enabled neither the portscan nor the portscan2
> preprocessor.  My understanding (I could be wrong) is that without either
> of
> these, Snort will not catch NMAP sweeps of your network.
>
> 3)  As a FYI:  Port scans are logged to the alert facility not the log
> facility in Snort.  So you're back to item #1.
>
> Cheers!




More information about the Snort-users mailing list