[Snort-users] Snort 1.8.7 does not log anything (OS: SuSE 8.1)

Michael Steele michaels at ...9077...
Wed Dec 10 07:29:02 EST 2003


Is there a specific reason why your using such an outdated Snort?

Kindest regards, 

The WINSNORT.com Management Team
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support at ...9077...
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of Ralf Mellis
> Sent: Wednesday, December 10, 2003 5:51 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort 1.8.7 does not log anything (OS: SuSE 8.1)
> 
> Hello,
> 
> I'm very confused. I have set up Snort 1.8.7 on a test box successfully
> (SuSE Linux 8.1). If I run a nmap tcp scan from another box against the
> snort box, snorts logs several events to the file
> "/var/log/snort/alert", as exspected. Having things so tested out, I
> have set up snort in exactly the same manner on my production box (SuSE
> 8.1, too). But here, snort does not log anything. If I do a nmap tcp
> scan against this box, there are absolutely no entries in the alert
> file. I have compared the configuration files and the start scripts:
> They are identical (no wonder, the same system...).
> The nmap scan is detected by the firewall (iptables) and scanlogd
> (exactly as on my test box). No matter that snort "sees" the packets
> even when the firewall is active, I have tested the nmap scan with my
> firewall deactivated, but no change in behaviour, nothing is logged.
> The only difference (but I'm not sure whether this is relevant) is:
> The test box located in my home network has an ip (eth0) of
> 192.168.0.42/24. The production box is a root server directly connected
> to the internet, so the ip is xxx.xxx.xxx.xxx/32.
> Is it possible, that this fact produces the misbehaviour?
> 
> My relevant "snort.conf" entries (at this time not modified by my self,
> but system defaults):
> 
> var HOME_NET $eth0_ADDRESS
> var EXTERNAL_NET $HOME_NET
> var SMTP $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var DNS_SERVERS $HOME_NET
> var RULE_PATH ./
> var SHELLCODE_PORTS !80
> var HTTP_PORTS 80
> var ORACLE_PORTS 1521
> preprocessor frag2
> preprocessor stream4: detect_scans, disable_evasion_alerts
> preprocessor stream4_reassemble
> preprocessor http_decode: 80 -unicode -cginull
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor telnet_decode
> include classification.config
> include $RULE_PATH/bad-traffic.rules
> include ...
> 
> Regarding to the snort faq 3.7, the variable $eth0_ADDRESS will be set
> to the ip/netmask of the interface which snort will be listening...
> Snort is invoked on my system as:
> 
> /usr/bin/snort -d -D -i eth0 -l /var/log/snort -u snort -g snort -c
> /etc/snort/snort.conf
> 
> And eth0 is the active interface of my server.
> (In addition I have tested the "-p" switch, but without success, too.
> Snort is starting up without errors, as shown by the system log, but
> does not log anything.)
> 
> Where is my mistake?
> 
> Regards from (cold) germany
> Ralf Mellis
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list