[Snort-users] No Alerts Being Generated

Kaplan, Andrew H. AHKAPLAN at ...10063...
Tue Oct 5 13:42:32 EDT 2004


Hi there --

I made the change within the snort.conf file you had suggested. I also ran the
snort -T command
and it ran through the configuration without reporting back any errors. Finally,
I installed NeWT,
the Windows version of Nessus, on another machine and ran several different
tests on the snort box.
The tests I ran were portscans and the "SANS Top 20" list. After the scans were
finished, I checked
the alert file as well as the ACID GUI. Neither one mentioned any alert
conditions taking place. 

As a further test, I changed the !HOME_NET setting back to any to see if that
made any difference.
It did not. What should I look for next?


-----Original Message-----
From: Nigel Houghton [mailto:nigel at ...1935...]
Sent: Wednesday, September 29, 2004 4:57 PM
To: snort-users at lists.sourceforge.net
Cc: Kaplan, Andrew H.
Subject: Re: [Snort-users] No Alerts Being Generated


Well the first thing I see in your file is the EXTERNAL_NET variable is set
to any. You might want to set that to !$HOME_NET for a start.

Second, you can run snort -T -c /etc/snort/snort.conf to test your snort
configuration.

Next thing is to make sure your snort box is listening on a span port of a
switch or a tap or a hub (probably not using one in your case I think) and
that the span port/tap is configured correctly.

Then, if possible, you could try generating some traffic that Snort should
alert on, like maybe a web request for ftp.pl which should set off sid
1107. You could run some nessus tests or just do it manually with a
straightforward http://www.yourwebhost.org/ftp.pl or pick some other simple
rule to test.

On  0, snort-users-request at lists.sourceforge.net allegedly wrote:
>    3. No Alerts Being Generated (Kaplan, Andrew H.)
> 
> --__--__--
> 
> Message: 3
> From: "Kaplan, Andrew H." <AHKAPLAN at ...10063...>
> To: "Snort User Group (E-mail)" <snort-users at lists.sourceforge.net>
> Date: Wed, 29 Sep 2004 15:35:26 -0400
> Subject: [Snort-users] No Alerts Being Generated
> 
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
> 
> ------_=_NextPart_000_01C4A65B.7895D89C
> Content-Type: text/plain;
> 	charset="iso-8859-1"
> 
> I completed installing snort 2.2.0 (build 30) and have begun running it. The
> ACID GUI and /var/log/snort/alert files have not shown any alerts
> even though the program has been running for over an hour. To verify there
were
> no syntax errors in the snort.conf file, I ran the following:
> 
> snort -c /etc/snort/snort.conf
> 
> There were no errors and warnings, and the program appears to be running
> properly. Where in snort.conf and elsewhere, should I check for 
> configuration mistakes? I have included the snort.conf file here. Thanks.
> 
>  <<snort.conf.29sept04.txt>> 
> 
> --__--__--
> 
 
+-----------------------------------------------------------------+
    Nigel Houghton      Research Engineer       Sourcefire Inc.
                  Vulnerability Research Team

 Cat: "Forget red - let's go all the way up to brown alert!"
 Kryten: "There's no such thing as a brown alert sir."
 Cat: "You won't be saying that in a minute!"




More information about the Snort-users mailing list