[Snort-users] Help with a config file please?

L. Christopher Luther CLuther at ...6333...
Fri Apr 4 13:43:05 EST 2003


Either send Snort log data to MySQL or alert data to MySQL but not both [0].


Q: Have you run Snort in its sniffer mode (e.g., snort -i1 -v) to see if the
traffic from your scans and 'attacks' are even being seen by Snort?  

Q: Have you looked directly into the MySQL database to see if the Snort DB
event table actually has any data in it?  

I'm not an ACID popper ;) so I cannot help you much w/ why ACID does not see
any alerts, but from previous posts to this list, I can safely say that it's
often best to rollback your config to something simpler, say alerting to a
text file, while trying to diagnose Snort problems.  

- Christopher 

[0] - http://www.theadamsfamily.net/~erek/snort/logging_methods.txt


-----Original Message-----
From: snort at ...8664... [mailto:snort at ...8664...]
Sent: Friday, April 04, 2003 3:49 PM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Help with a config file please?


Christopher,

Thanks for the info. I went ahead and changed those things (added Alert to
the list and enables portscan and portscan2 but I am still seeing no
alerts come up. I have all logging going to the same mysql db, and I use
adodb & ACID to run the reports.
I send nmap scans from one of my linux boxes w/ the following parameters

nmap -sS -O -P0 -v 1.2.3.4

nmap gets all the ports that the system has open just fine and it finger
prints the OS perfectly (Win XP Pro RC1 or later) but the system Acid
console shows nothing still. I used www.auditmypc.com to run a similar
scan and no alerts show, ditto w/ grc.com.

now just as info I have 2 lines in the conf file for the logging one that
sends log to mysql and another that sends alert to the same mysql db. Is
that permissible or do I have to stick to a single line?

Carlos


> I'm sure someone else already answered this, but here is my two cents:
>
> 1)  You do not specify an alert facility in your snort.conf.  So unless
> you
> have something that reads your MySQL database looking for new log events,
> you'll never get an alert.
>
> 2)  You have not enabled neither the portscan nor the portscan2
> preprocessor.  My understanding (I could be wrong) is that without either
> of
> these, Snort will not catch NMAP sweeps of your network.
>
> 3)  As a FYI:  Port scans are logged to the alert facility not the log
> facility in Snort.  So you're back to item #1.
>
> Cheers!


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030404/e035ee5d/attachment.html>


More information about the Snort-users mailing list