[Snort-users] No Alerts Being Generated
Kaplan, Andrew H.
AHKAPLAN at ...10063...
Tue Oct 5 13:42:32 EDT 2004
Hi there --
I made the change within the snort.conf file you had suggested. I also ran the
snort -T command
and it ran through the configuration without reporting back any errors. Finally,
I installed NeWT,
the Windows version of Nessus, on another machine and ran several different
tests on the snort box.
The tests I ran were portscans and the "SANS Top 20" list. After the scans were
finished, I checked
the alert file as well as the ACID GUI. Neither one mentioned any alert
conditions taking place.
As a further test, I changed the !HOME_NET setting back to any to see if that
made any difference.
It did not. What should I look for next?
From: Nigel Houghton [mailto:nigel at ...1935...]
Sent: Wednesday, September 29, 2004 4:57 PM
To: snort-users at lists.sourceforge.net
Cc: Kaplan, Andrew H.
Subject: Re: [Snort-users] No Alerts Being Generated
Well the first thing I see in your file is the EXTERNAL_NET variable is set
to any. You might want to set that to !$HOME_NET for a start.
Second, you can run snort -T -c /etc/snort/snort.conf to test your snort
Next thing is to make sure your snort box is listening on a span port of a
switch or a tap or a hub (probably not using one in your case I think) and
that the span port/tap is configured correctly.
Then, if possible, you could try generating some traffic that Snort should
alert on, like maybe a web request for ftp.pl which should set off sid
1107. You could run some nessus tests or just do it manually with a
straightforward http://www.yourwebhost.org/ftp.pl or pick some other simple
rule to test.
On 0, snort-users-request at lists.sourceforge.net allegedly wrote:
> 3. No Alerts Being Generated (Kaplan, Andrew H.)
> Message: 3
> From: "Kaplan, Andrew H." <AHKAPLAN at ...10063...>
> To: "Snort User Group (E-mail)" <snort-users at lists.sourceforge.net>
> Date: Wed, 29 Sep 2004 15:35:26 -0400
> Subject: [Snort-users] No Alerts Being Generated
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
> Content-Type: text/plain;
> I completed installing snort 2.2.0 (build 30) and have begun running it. The
> ACID GUI and /var/log/snort/alert files have not shown any alerts
> even though the program has been running for over an hour. To verify there
> no syntax errors in the snort.conf file, I ran the following:
> snort -c /etc/snort/snort.conf
> There were no errors and warnings, and the program appears to be running
> properly. Where in snort.conf and elsewhere, should I check for
> configuration mistakes? I have included the snort.conf file here. Thanks.
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
Cat: "Forget red - let's go all the way up to brown alert!"
Kryten: "There's no such thing as a brown alert sir."
Cat: "You won't be saying that in a minute!"
More information about the Snort-users