[Snort-users] No update in time window.

Cristian Kutscherauer cristian.kutscherauer at ...9646...
Fri Jul 18 05:36:12 EDT 2003


Hi Erek, looks you are in the correct track. Running Snort with "-v" and 
without the Daemon option shows it snorting ok. However no new 
entries/alerts are being generated in /var/log/alert
I forgot to mention, I'm newbie to Snort. How do I check the Acid Sensor 
and if Snort rules are in fact activated?

Tks a lot, Erek.
_CK

Erek Adams wrote:

>On Tue, 15 Jul 2003, Cristian Kutscherauer wrote:
>
>  
>
>>Snort was running nicely but after a machine reboot it is no longer
>>updating the alerts.
>>
>>The symptoms:
>>- in Acid it reports correctly the "Queried on" field. The field "Time
>>Window" is no longer updated (it got stuck in a specific date).
>>- there are new alerts reported.
>>
>>The Environment:
>>- Snort 2.0.0 (build 72)
>>- Snort is listed in ps
>>- Snorting on interface eth1.102 (with no IP). tcpdump -i eth1.102 shows
>>traffic ok.
>>- Snort start log says everything okay (except that eth1.102 has no IP).
>>    
>>
>
>I don't think the issue is with snort.  I think it's an ACID issue + db
>outut plugin.  Check your config, make sure you're giving a sensor ID.
>
>Did you add or change a BPF filter?  If so, that's your problem.  the db
>plugin or ACID builds a sensor ID if there isn't one by using the machine
>name and any BPF filters that you have.  If those change, then it changes
>the sensor ID.
>
>To make sure about the problem, run a second copy of Snort w/o the db
>output.  Have it log to disk.  If it does, then you know that Snort is
>working fine, and that the problem is in the config.
>
>Cheers!
>
>-----
>Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>
>
>-------------------------------------------------------
>This SF.Net email sponsored by: Parasoft
>Error proof Web apps, automate testing & more.
>Download & eval WebKing and get a free book.
>www.parasoft.com/bulletproofapps1
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  
>






More information about the Snort-users mailing list