[Snort-users] RE: Snort and acid prob!!! Acid not running :(

Patrick S. Harper patrick at ...4250...
Wed Jul 14 04:03:00 EDT 2004


You are you on a switch, so due to the nature of switched networking, you
will only see traffic destined for the switch port the snort box is on.  Can
you span a port?.  Is it all one vlan or are they unmanaged switches?  Did
you try scanning it (the IP of the snort box) with one of the tools I
mentioned?




Patrick S. Harper | CISSP RHCT MCSE
www.internetsecurityguru.com

www.ntsug.org - Snort Users Group

"If there is no light at the end of the tunnel, get down there and light the
damn thing yourself!"
 
-----Original Message-----
From: Aparna Mangla [mailto:aparna.mangla at ...11827...] 
Sent: Wednesday, July 14, 2004 5:57 AM
To: Patrick S. Harper
Subject: Re: Snort and acid prob!!! Acid not running :(

well... we hav one router and 4 switches....i have snort installed on my
linux box (one among the 50 PCs) and we dont use proxies here. all the
machines are directly connected.
hope i gave the right information..
Now what? :(
Aparna Mangla

On Wed, 14 Jul 2004 05:52:21 -0500, Patrick S. Harper
<patrick at ...4250...> wrote:
> Where is the IDS placed?  Is it on a switch?  If it is, do you have 
> the sniffing interface on a span port?  Were any of the 471 packets 
> something that would trigger an alert?  Nope, because it says ALERTS: 0.
> 
> Download Nessus (www.nessus.org) or CIS
> (http://www.cerberus-infosec.co.uk/CIS-5.0.02.zip) and scan the 
> interface on the snort box you are sniffing on to test it first to see 
> if you have a problem with placement. I am betting you are on a switch 
> and only seeing broadcast traffic.
> 
> If you can see the ACID interface then it is running, snort is 
> starting so mysql is running, if you have your output line correct in 
> your snort.conf and your acid_conf.php database lines correct then it 
> is just a matter of your box not seeing any traffic.  Where exactly do 
> you have this placed in relation to your 50 PC's?
> 
> Hope this helps
> 
> Patrick S. Harper | CISSP RHCT MCSE
> www.internetsecurityguru.com
> 
> www.ntsug.org - Snort Users Group
> 
> "If there is no light at the end of the tunnel, get down there and 
> light the damn thing yourself!"
> 
> 
> 
> -----Original Message-----
> From: Aparna Mangla [mailto:aparna.mangla at ...11827...]
> Sent: Wednesday, July 14, 2004 5:12 AM
> To: Patrick S. Harper; nwoliver at ...4250...;
> snort-users at lists.sourceforge.net
> Subject: Snort and acid prob!!! Acid not running :(
> 
> hi
> plz help me urgently.
> 
> I have installed snort-2.0.2 with acid 0.9.6b23 on redhat 9. I think i 
> followed all the steps correctly. and when i run :
> snort -c /etc/snort/snort.conf
> i get the following output at the end:
> 
> ======================================================================
> ======
> ===
> Snort analyzed 471 out of 471 packets, dropping 0(0.000%) packets
> 
> Breakdown by protocol:                Action Stats:
>     TCP: 29         (6.157%)          ALERTS: 0
>     UDP: 208        (44.161%)         LOGGED: 0
>    ICMP: 89         (18.896%)         PASSED: 0
>     ARP: 90         (19.108%)
>   EAPOL: 0          (0.000%)
>    IPv6: 0          (0.000%)
>     IPX: 0          (0.000%)
>   OTHER: 55         (11.677%)
> DISCARD: 0          (0.000%)
> ======================================================================
> ======
> ===
> Wireless Stats:
> Breakdown by type:
>     Management Packets: 0          (0.000%)
>     Control Packets:    0          (0.000%)
>     Data Packets:       0          (0.000%)
> ======================================================================
> ======
> ===
> Fragmentation Stats:
> Fragmented IP Packets: 0          (0.000%)
>     Fragment Trackers: 0
>    Rebuilt IP Packets: 0
>    Frag elements used: 0
> Discarded(incomplete): 0
>    Discarded(timeout): 0
>   Frag2 memory faults: 0
> ======================================================================
> ======
> ===
> TCP Stream Reassembly Stats:
>         TCP Packets Used: 29         (6.157%)
>          Stream Trackers: 9
>           Stream flushes: 0
>            Segments used: 0
>    Stream4 Memory Faults: 0
> ======================================================================
> ======
> ===
> database: Closing connection to database "snort"
> Snort exiting
> 
> Now...when i start the httpd interface, i get 0 alerts, 0 sensors, 0 % 
> UDP, 0% TCP.....as though it is inactive.
> I am connected on LAN of 50 PCs.
> Please tell me how to correct it.
> Hoping for an urgent reply.
> Thanking you
> Aparna Mangla
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
> 
>

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
 





More information about the Snort-users mailing list