[Snort-users] Snort re-setup issues

Greg Webster greg at ...9390...
Thu Apr 29 16:48:04 EDT 2004


Thanks, but we got it solved. It ended up being a problem with the
switch and not having the server on the right vlan to listen to the
traffic properly :)

Cheers,

Greg

On Tue, 2004-04-27 at 17:32, Truax, Shawn (MBS) wrote:
> Hi Greg,
> 
> Can you put a copy of your snort.conf up to look at.  As well try
> running a tcpdump on your interface (eth0) to see if traffic is being
> captured.  It seems from your email here you are not sure if snort is
> actually seeing traffic.
> 
> Shawn Truax
> Security Specialist
> Corporate Security
> 155 University Ave.
> Toronto, Ontario
> M5H 3B7
> (416)327-1107
> 
> 
> -----Original Message-----
> From: Greg Webster [mailto:greg at ...9390...]
> Sent: April 27, 2004 5:53 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort re-setup issues
> 
> 
> Heya,
> 
> Maybe I just need to bounce this off someone for a sanity
> check...advice
> would be great.
> 
> Our old SNORT box completely died, so I was unable to get the config
> file from there to make this easy.
> 
> The real problem now is that it's not logging anything coming in.
> /var/log/snort/alert is empty.
> 
> Here's some quick facts to hopefully narrow down the solution:
> - Snort box IP address: 192.168.42.51 on eth0
> - eth0 is set to promiscuous mode
> - Snort is listening to 64.69.xxx.xxx/27
> - The log files are created and appropriate permissions are given
> (/var/log/snort)
> - I've tried to change Snort to listen to 192.168.42.0/24, and
> portscanning from another box in that network, but Snort didn't log
> it.
> - The box is behind two switches...
> 
> I haven't seen a solution in my searching...any thoughts on where to
> go
> next?
> 
> Thanks,
> 
> Greg
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle
> 10g. 
> Take an Oracle 10g class now, and we'll give you the exam FREE. 
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list