[Snort-users] RE: Snort and acid prob!!! Acid not running :(

Patrick S. Harper patrick at ...4250...
Wed Jul 14 04:10:24 EDT 2004


Then you are not going to get what you want.  You will only see broadcast
traffic and traffic destined for that port on the switch.  Try CIS, it works
under windows and is easier if you do not know Nessus.  Read up on the
nature of switch's and you will see what I mean.  You can use a tap to make
it more effective.




Patrick S. Harper | CISSP RHCT MCSE
www.internetsecurityguru.com

www.ntsug.org - Snort Users Group

"If there is no light at the end of the tunnel, get down there and light the
damn thing yourself!"
 
-----Original Message-----
From: Aparna Mangla [mailto:aparna.mangla at ...11827...] 
Sent: Wednesday, July 14, 2004 6:07 AM
To: Patrick S. Harper
Subject: Re: Snort and acid prob!!! Acid not running :(

what do you mean by spaning a port? please elaborate.  the switches we use
are self managed switches. they carry no ip addresses. i m trying to figure
out nessus....
Aparna Mangla

On Wed, 14 Jul 2004 06:06:23 -0500, Patrick S. Harper
<patrick at ...4250...> wrote:
> You are you on a switch, so due to the nature of switched networking, 
> you will only see traffic destined for the switch port the snort box 
> is on.  Can you span a port?.  Is it all one vlan or are they 
> unmanaged switches?  Did you try scanning it (the IP of the snort box) 
> with one of the tools I mentioned?
> 
> Patrick S. Harper | CISSP RHCT MCSE
> www.internetsecurityguru.com
> 
> www.ntsug.org - Snort Users Group
> 
> "If there is no light at the end of the tunnel, get down there and 
> light the damn thing yourself!"
> 
> 
> 
> -----Original Message-----
> From: Aparna Mangla [mailto:aparna.mangla at ...11827...]
> Sent: Wednesday, July 14, 2004 5:57 AM
> To: Patrick S. Harper
> Subject: Re: Snort and acid prob!!! Acid not running :(
> 
> well... we hav one router and 4 switches....i have snort installed on 
> my linux box (one among the 50 PCs) and we dont use proxies here. all 
> the machines are directly connected.
> hope i gave the right information..
> Now what? :(
> Aparna Mangla
> 
> On Wed, 14 Jul 2004 05:52:21 -0500, Patrick S. Harper 
> <patrick at ...4250...> wrote:
> > Where is the IDS placed?  Is it on a switch?  If it is, do you have 
> > the sniffing interface on a span port?  Were any of the 471 packets 
> > something that would trigger an alert?  Nope, because it says ALERTS: 0.
> >
> > Download Nessus (www.nessus.org) or CIS
> > (http://www.cerberus-infosec.co.uk/CIS-5.0.02.zip) and scan the 
> > interface on the snort box you are sniffing on to test it first to 
> > see if you have a problem with placement. I am betting you are on a 
> > switch and only seeing broadcast traffic.
> >
> > If you can see the ACID interface then it is running, snort is 
> > starting so mysql is running, if you have your output line correct 
> > in your snort.conf and your acid_conf.php database lines correct 
> > then it is just a matter of your box not seeing any traffic.  Where 
> > exactly do you have this placed in relation to your 50 PC's?
> >
> > Hope this helps
> >
> > Patrick S. Harper | CISSP RHCT MCSE
> > www.internetsecurityguru.com
> >
> > www.ntsug.org - Snort Users Group
> >
> > "If there is no light at the end of the tunnel, get down there and 
> > light the damn thing yourself!"
> >
> >
> >
> > -----Original Message-----
> > From: Aparna Mangla [mailto:aparna.mangla at ...11827...]
> > Sent: Wednesday, July 14, 2004 5:12 AM
> > To: Patrick S. Harper; nwoliver at ...4250...;
> > snort-users at lists.sourceforge.net
> > Subject: Snort and acid prob!!! Acid not running :(
> >
> > hi
> > plz help me urgently.
> >
> > I have installed snort-2.0.2 with acid 0.9.6b23 on redhat 9. I think 
> > i followed all the steps correctly. and when i run :
> > snort -c /etc/snort/snort.conf
> > i get the following output at the end:
> >
> > ====================================================================
> > ==
> > ======
> > ===
> > Snort analyzed 471 out of 471 packets, dropping 0(0.000%) packets
> >
> > Breakdown by protocol:                Action Stats:
> >     TCP: 29         (6.157%)          ALERTS: 0
> >     UDP: 208        (44.161%)         LOGGED: 0
> >    ICMP: 89         (18.896%)         PASSED: 0
> >     ARP: 90         (19.108%)
> >   EAPOL: 0          (0.000%)
> >    IPv6: 0          (0.000%)
> >     IPX: 0          (0.000%)
> >   OTHER: 55         (11.677%)
> > DISCARD: 0          (0.000%)
> > ====================================================================
> > ==
> > ======
> > ===
> > Wireless Stats:
> > Breakdown by type:
> >     Management Packets: 0          (0.000%)
> >     Control Packets:    0          (0.000%)
> >     Data Packets:       0          (0.000%)
> > ====================================================================
> > ==
> > ======
> > ===
> > Fragmentation Stats:
> > Fragmented IP Packets: 0          (0.000%)
> >     Fragment Trackers: 0
> >    Rebuilt IP Packets: 0
> >    Frag elements used: 0
> > Discarded(incomplete): 0
> >    Discarded(timeout): 0
> >   Frag2 memory faults: 0
> > ====================================================================
> > ==
> > ======
> > ===
> > TCP Stream Reassembly Stats:
> >         TCP Packets Used: 29         (6.157%)
> >          Stream Trackers: 9
> >           Stream flushes: 0
> >            Segments used: 0
> >    Stream4 Memory Faults: 0
> > ====================================================================
> > ==
> > ======
> > ===
> > database: Closing connection to database "snort"
> > Snort exiting
> >
> > Now...when i start the httpd interface, i get 0 alerts, 0 sensors, 0 
> > % UDP, 0% TCP.....as though it is inactive.
> > I am connected on LAN of 50 PCs.
> > Please tell me how to correct it.
> > Hoping for an urgent reply.
> > Thanking you
> > Aparna Mangla
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
> >
> >
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
> 
>

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.719 / Virus Database: 475 - Release Date: 7/12/2004
 





More information about the Snort-users mailing list