[Snort-users] No Alerts Being Generated

Michael Steele michaels at ...9077...
Wed Oct 6 20:43:05 EDT 2004


You might want to try a TCPDump of the MySQL port and hit Snort with a
scanner and see if the alerts are even being sent to the database.

Did you run Snort in a terminal with a -T at the end of your snort run line
to test your configuration?

Kindest regards, 
Michael...

WINSNORT.com Management Team Member
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support at ...9077...
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of Kaplan, Andrew H.
> Sent: Wednesday, October 06, 2004 9:50 AM
> To: 'sekure'; Snort User Group (E-mail)
> Subject: RE: [Snort-users] No Alerts Being Generated
> 
> I ran Snort in packet sniffer mode and indeed it is seeing traffic. To
> answer
> your other question
> about the interface, I am specifying the interface in the command line.
> 
> -----Original Message-----
> From: sekure [mailto:sekure at ...11827...]
> Sent: Wednesday, October 06, 2004 12:34 PM
> To: Kaplan, Andrew H.
> Cc: Martin Roesch; Snort User Group (E-mail)
> Subject: Re: [Snort-users] No Alerts Being Generated
> 
> 
> Andrew,
> 
> Let's go back to the basics...  Try running snort in packet sniffer
> mode, dumping the traffic to console: "snort -devi <int>".  Obviously
> substitute your interface name for <int>.  You should quickly see if
> Snort is seeing ANY traffic at all.... Speaking of which, are you
> specifying an interface on the command line when you try to run snort
> in nids mode???  That could be your problem.
> 
> 
> On Wed, 6 Oct 2004 11:39:04 -0400, Kaplan, Andrew H.
> <ahkaplan at ...12518...> wrote:
> > Hi there --
> >
> > I created the test rule you had specified and then restarted Snort. I
> then
> > ran a series of scans, including the fingerprint scan, using nmapFE on a
> remote
> > machine.
> > None of the scans resulted in alerts being shown. There is no question
> that
> > something
> > is configured wrong, unfortunately I don't know what it is. I am
> including the
> > snort.conf
> > file with this e-mail. Someone mentioned channging the EXTERNAL_NET
> option
> from
> > any to !HOME_NET.
> > I tried that approach without any difference and thereafter changed it
> back.
> > Thanks for your help.
> >
> >
> >
> >
> > -----Original Message-----
> > From: Martin Roesch [mailto:roesch at ...1935...]
> > Sent: Wednesday, October 06, 2004 10:01 AM
> > To: Kaplan, Andrew H.
> > Cc: Snort User Group (E-mail)
> > Subject: Re: [Snort-users] No Alerts Being Generated
> >
> > Have you tried making a test rule?  How about:
> >
> > alert tcp any any -> any any (msg: "TCP packet";)
> >
> > put that in a file called test.rule then run
> >
> > snort -c test.rule -A console -N
> >
> > for a couple minutes and surf around the web, you should have alerts.
> > If you don't have alerts then something is probably configured wrong,
> > if you do have alerts then your test case (running Newt in front of
> > Snort) probably isn't generating anything that Snort is looking for.
> > Try running some real attacks or an nmap fingerprint scan.
> >
> >      -Marty
> >
> > On Oct 6, 2004, at 8:00 AM, Kaplan, Andrew H. wrote:
> >
> > > Hi there -- (sorry if this a repeat of a message sent out)
> > >
> > > I made the change within the snort.conf file you had suggested. I also
> > > ran the
> > > snort -T command
> > > and it ran through the configuration without reporting back any
> > > errors. Finally,
> > > I installed NeWT,
> > > the Windows version of Nessus, on another machine and ran several
> > > different
> > > tests on the snort box.
> > > The tests I ran were portscans and the "SANS Top 20" list. After the
> > > scans were
> > > finished, I checked
> > > the alert file as well as the ACID GUI. Neither one mentioned any
> alert
> > > conditions taking place.
> > >
> > > As a further test, I changed the !HOME_NET setting back to any to see
> > > if that
> > > made any difference.
> > > It did not. What should I look for next?
> > >
> > >
> > > -----Original Message-----
> > > From: Nigel Houghton [mailto:nigel at ...1935...]
> > > Sent: Wednesday, September 29, 2004 4:57 PM
> > > To: snort-users at lists.sourceforge.net
> > > Cc: Kaplan, Andrew H.
> > > Subject: Re: [Snort-users] No Alerts Being Generated
> > >
> > >
> > > Well the first thing I see in your file is the EXTERNAL_NET variable
> > > is set
> > > to any. You might want to set that to !$HOME_NET for a start.
> > >
> > > Second, you can run snort -T -c /etc/snort/snort.conf to test your
> > > snort
> > > configuration.
> > >
> > > Next thing is to make sure your snort box is listening on a span port
> > > of a
> > > switch or a tap or a hub (probably not using one in your case I think)
> > > and
> > > that the span port/tap is configured correctly.
> > >
> > > Then, if possible, you could try generating some traffic that Snort
> > > should
> > > alert on, like maybe a web request for ftp.pl which should set off sid
> > > 1107. You could run some nessus tests or just do it manually with a
> > > straightforward http://www.yourwebhost.org/ftp.pl or pick some other
> > > simple
> > > rule to test.
> > >
> > > On  0, snort-users-request at lists.sourceforge.net allegedly wrote:
> > >>    3. No Alerts Being Generated (Kaplan, Andrew H.)
> > >>
> > >> --__--__--
> > >>
> > >> Message: 3
> > >> From: "Kaplan, Andrew H." <AHKAPLAN at ...10063...>
> > >> To: "Snort User Group (E-mail)" <snort-users at lists.sourceforge.net>
> > >> Date: Wed, 29 Sep 2004 15:35:26 -0400
> > >> Subject: [Snort-users] No Alerts Being Generated
> > >>
> > >> This message is in MIME format. Since your mail reader does not
> > >> understand
> > >> this format, some or all of this message may not be legible.
> > >>
> > >> ------_=_NextPart_000_01C4A65B.7895D89C
> > >> Content-Type: text/plain;
> > >>      charset="iso-8859-1"
> > >>
> > >> I completed installing snort 2.2.0 (build 30) and have begun running
> > >> it. The
> > >> ACID GUI and /var/log/snort/alert files have not shown any alerts
> > >> even though the program has been running for over an hour. To verify
> > >> there
> > > were
> > >> no syntax errors in the snort.conf file, I ran the following:
> > >>
> > >> snort -c /etc/snort/snort.conf
> > >>
> > >> There were no errors and warnings, and the program appears to be
> > >> running
> > >> properly. Where in snort.conf and elsewhere, should I check for
> > >> configuration mistakes? I have included the snort.conf file here.
> > >> Thanks.
> > >>
> > >>  <<snort.conf.29sept04.txt>>
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: IT Product Guide on
> > > ITManagersJournal
> > > Use IT products in your business? Tell us what you think of them. Give
> > > us
> > > Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
> > > more
> > > http://productguide.itmanagersjournal.com/guidepromo.tmpl
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > --
> > Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> > Sourcefire - Discover.  Determine.  Defend.
> > roesch at ...1935... - http://www.sourcefire.com
> > Snort: Open Source Network IDS - http://www.snort.org
> >
> >
> >
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
> more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list