[Snort-users] Help with a config file please?

snort at ...8664... snort at ...8664...
Fri Apr 4 14:26:08 EST 2003


Christopher,

Ok I changed the conf to only send the log data to mysql – I am trying to
stick to the config that silicondefense.com puts out on
http://www.silicondefense.com/support/windows/winsnortdocs/WinSnortIIS.pdf
After re-reading that doc I also made a couple of other changes but so far
no luck on detecting all the nmap stuff that I am sending. I am now able
to see portscans going to the IP address of the snort device but still
nothing comes up when I sweep on the other IPs that I need to monitor.
When I run snort –v –i2 I see all the traffic going through that system
(there is a lot of traffic so I can’t simply see the portscan taking
place). When I use windump and I narrow down the scope of it to only
packets w/ a source of the machine that I am using to run nmap I am able
to see those packets then so I know that the stuff is in fact getting to
the snort device.
I took a look @ the mysql and there is data there from the portscan that I
sent to the ip address of the snort so at least the logging part is
talking place in one way shape or form.

For what is worth I have 2 nics on this system one to access the ACID
console that only has TCP/IP bound & its firewalled (MS) and the second to
run the monitor and that one has no bindings whatsoever.
Any ideas at to where I screwed up this config a really welcomed.

Carlos


> Either send Snort log data to MySQL or alert data to MySQL but not both
> [0].
>
>
> Q: Have you run Snort in its sniffer mode (e.g., snort -i1 -v) to see if
> the
> traffic from your scans and 'attacks' are even being seen by Snort?
>
> Q: Have you looked directly into the MySQL database to see if the Snort DB
> event table actually has any data in it?
>
> I'm not an ACID popper ;) so I cannot help you much w/ why ACID does not
> see
> any alerts, but from previous posts to this list, I can safely say that
> it's
> often best to rollback your config to something simpler, say alerting to a
> text file, while trying to diagnose Snort problems.
>
> - Christopher
>
> [0] - http://www.theadamsfamily.net/~erek/snort/logging_methods.txt





More information about the Snort-users mailing list