[Snort-users] oh, come on

Shawn Truax Shawn.Truax at ...8509...
Fri Sep 26 10:53:18 EDT 2003

Assuming everything is working and installed properly.  I would recommend checking two things.  One run a tcpdump on the interface that Snort is running on to make sure that there is traffic for Snort to process.  I have done this myself a couple of times when I have had multiple interfaces and set the wrong one by mistake.  

Two I would make sure you have snort rules turned on.  Snort might be processing the data but there are no rules set for it to trigger on.  Or there is just no traffic triggering the rules.  Some days one of my sensors will go for hours without a rule trigger just because the traffic does not contain anything I am looking for.  What I do is create a rule that triggers on all traffic  (alert any any -> any any (msg:"Test Rule";sid:1234567;).  Turn the rule on and let snort run.  See if you are getting alerts and if you are turn the rule back off.  Warning don't let this rule run for very long or unattended it will fill up your database and hard drive fast if you forget about it.

If everything above turns out ok.  Check your connection to the database.  Off the top of my head I am not too sure where everything is located to do this.  I believe RedHat puts error messages in the messages log file if there are problems check there.   You can use the mysqladmin PING command to make sure the database is running.

Oh and make sure you have set the output plug in properly for snort it should look something like this:

output database: alert, mysql, user=[database_login] password=[database_password] dbname=[database_name] host=[ip_of_database_computer] port=3306 sensor_name=[insert_sensor_name_here] detail=full

Hope this helps some or at least gets you started.


>>> "Raymond Norton" <admin at ...10144...> 09/24/03 02:27pm >>>
Being the novice I am with compiling and diagnosing errors I was really
proud of myself when I followed the redhat 9.0 install docs and got
everything working. httpd, mysql, and snort are all running without
complaint. I pulled up the nice acid page and commenced to do a port scan,
but snort does not respond to it. My page stays the same (0 hits). I looked
over the faq to see what might be there, and verified that I have everything
set right. I substituted "log" with "alert" in the snort.conf without any

Any idea what I should be looking at to diagnose the problem?


This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030926/8c151a28/attachment.htm>

More information about the Snort-users mailing list