[Snort-users] Several Questions About Snort Operation

jon baer security at ...9153...
Fri Sep 19 14:37:27 EDT 2003


could really be anything affecting your problem but ...

according to your conf you are only logging "log" directives and not alerts
(line 40), add this:

output database: alert, mysql, user=root password= dbname=snort_db
host=localhost

also in case there are any arp/dhcp/ip problems for testing try to change
var HOME_NET to "any".

- jon

----- Original Message -----
From: "Kaplan, Andrew H." <AHKAPLAN at ...10063...>
To: "'jon baer'" <security at ...9153...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Friday, September 19, 2003 9:00 AM
Subject: RE: [Snort-users] Several Questions About Snort Operation


> Hi Jon,
>
> I ran a check of the snort.conf file and everything appears to be in
order. Just
> in case I missed something,
> I've included it as an attachment in this e-mail for your perusal. As far
as
> eth0 running in promiscuous mode,
> the syntax you mentioned in your e-amil had been entered into the rc.local
file.
> I checked the /var/log/messages
> file, and confirmed that eth0 was running in promiscuous mode. Thanks
again for
> the help.
>
> -----Original Message-----
> From: jon baer [mailto:security at ...9153...]
> Sent: Thursday, September 18, 2003 4:14 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Several Questions About Snort Operation
>
>
> what does your snort.conf file look like? @ along the bottom somewhere u
> should have the output processor set to log to mysql (output database:
> alert,mysql, [credentials])
>
> also make sure that interface eth0 is put into promiscious mode (ifconfig
> eth0 promisc)
>
> - jon
>
> ----- Original Message -----
> From: "Kaplan, Andrew H." <AHKAPLAN at ...10063...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Thursday, September 18, 2003 4:39 PM
> Subject: [Snort-users] Several Questions About Snort Operation
>
>
> > Hi there,
> >
> > I got Snort installed onto my system and when I run the binary from the
> shell
> > prompt it appears that Snort is running. The syntax that I used is:
> >
> > ./snort -A full -i eth0 -c /etc/snort/snort.conf -v
> >
> > There are some things that I am not sure about:
> >
> > 1. I have the ACID program up and running but I am not getting
> > information to display on the screen.
> > 2. When I checked the snort_db database under MySQL there was no data.
> > This probably explains the situation on item 1.
> > 3. What, if anything, do I need to load on remote machines in order for
> > the Snort server to be able to check things out on them?
> >
> > Essentially it appears Snort does run on my system, but there is no data
> being
> > generated within the database and consequently nothing is appearing
> > on the ACID console.
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>





More information about the Snort-users mailing list