[Snort-users] No update in time window.
cristian.kutscherauer at ...9646...
Fri Jul 18 05:36:12 EDT 2003
Hi Erek, looks you are in the correct track. Running Snort with "-v" and
without the Daemon option shows it snorting ok. However no new
entries/alerts are being generated in /var/log/alert
I forgot to mention, I'm newbie to Snort. How do I check the Acid Sensor
and if Snort rules are in fact activated?
Tks a lot, Erek.
Erek Adams wrote:
>On Tue, 15 Jul 2003, Cristian Kutscherauer wrote:
>>Snort was running nicely but after a machine reboot it is no longer
>>updating the alerts.
>>- in Acid it reports correctly the "Queried on" field. The field "Time
>>Window" is no longer updated (it got stuck in a specific date).
>>- there are new alerts reported.
>>- Snort 2.0.0 (build 72)
>>- Snort is listed in ps
>>- Snorting on interface eth1.102 (with no IP). tcpdump -i eth1.102 shows
>>- Snort start log says everything okay (except that eth1.102 has no IP).
>I don't think the issue is with snort. I think it's an ACID issue + db
>outut plugin. Check your config, make sure you're giving a sensor ID.
>Did you add or change a BPF filter? If so, that's your problem. the db
>plugin or ACID builds a sensor ID if there isn't one by using the machine
>name and any BPF filters that you have. If those change, then it changes
>the sensor ID.
>To make sure about the problem, run a second copy of Snort w/o the db
>output. Have it log to disk. If it does, then you know that Snort is
>working fine, and that the problem is in the config.
> "When things get weird, the weird turn pro." H.S. Thompson
>This SF.Net email sponsored by: Parasoft
>Error proof Web apps, automate testing & more.
>Download & eval WebKing and get a free book.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users