[Snort-users] Snort not logging alerts.

Esler, Joel - Contractor joel.esler at ...9426...
Thu Jul 29 11:57:05 EDT 2004


You have it with a "dev"  this is not running in ids mode, this is
running in sniffer mode.  Remove the -dev from your command line
options.

J

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Lyndon Tiu
Sent: Thursday, July 29, 2004 2:48 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort not logging alerts.


Hello, 
 
I've googled to no avail. 
 
I am wondering if you guys can help. 
 
I have the latest snort installed 2.1.3 from snort.org. I commpiled and 
installed. 
 
I have the rules installed under /usr/local/etc/snort/rules. 
I have /usr/local/etc/snort/snort.conf configured. 
 
I start snort: 
 
/usr/local/bin/snort -dev -i eth1 -c /usr/local/etc/snort/snort.conf 
 
Sbort starts up fine, but when I send it a code red http request: 
 
All I get are: 
 
Rule application order: ->activation->dynamic->alert->pass->log 
 
        --== Initialization Complete ==-- 
 
-*> Snort! <*- 
Version 2.1.0 (Build 9) 
By Martin Roesch (roesch at ...1935..., www.snort.org) 
07/29-11:44:42.071614 0:10:A4:89:A9:12 -> 0:A0:24:CC:5E:FC type:0x800 
len:0x4A 
192.168.0.2:32806 -> 192.168.0.1:80 TCP TTL:64 TOS:0x0 ID:6238 IpLen:20 
DgmLen:60 DF 
******S* Seq: 0xC4AB409B  Ack: 0x0  Win: 0x16D0  TcpLen: 40 
TCP Options (5) => MSS: 1460 SackOK TS: 612549 0 NOP WS: 0 
 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 
 
07/29-11:44:42.071780 0:A0:24:CC:5E:FC -> 0:10:A4:89:A9:12 type:0x800 
len:0x36 
192.168.0.1:80 -> 192.168.0.2:32806 TCP TTL:64 TOS:0x0 ID:1138 IpLen:20 
DgmLen:40 DF 
***A*R** Seq: 0x0  Ack: 0xC4AB409C  Win: 0x0  TcpLen: 20 
 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 
 
 
I am not getting any alerts as expected!! 
 
 
What am I missing? 
 
 
Thank for any tips. 
 
 
-- 
Lyndon Tiu 


-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list