[Snort-users] RE: Snort Problems

Patrick S. Harper patrick at ...4250...
Thu Oct 21 18:59:45 EDT 2004


I am not sure if the Vmware is doing anything.  You might want to send this
to the list.  I am forwarding it that way with the reply



Patrick S. Harper | CISSP RHCT MCSE
www.internetsecurityguru.com

www.ntsug.org - Snort Users Group

"If there is no light at the end of the tunnel, get down there and light the
damn thing yourself!"
 
-----Original Message-----
From: Edward Sohn [mailto:edwardsohn at ...131...] 
Sent: Thursday, October 21, 2004 8:19 PM
To: patrick at ...4250...
Subject: Snort Problems

Hi Patrick, 

I am a Snort and Linux newbie, and I appreciate your Snort installation
guide.  I'm having problems, however... 

I have everything installed and running on Fedora Core 2 in VMWare 4.5.2 on
Windows XP in bridged mode. 

I can see Snort working when I run it in verbose (I can see the packet
captures) 
I have the Snort.conf file logging to MySQL and then displaying in ACID. 

The problem is that I cannot see any entries in MySQL, and thus, nothing is
showing in ACID. 

I created a test.rules file and used "alert tcp any any -> any any..." and
saved it in the rules folder.  I then ran "snort -c test.rules" and nothing
happened (this ran cleanly, BTW).

You may think that there might be a problem with Snort not logging to MySQL,
but one time (and one time only) I ran a "snort -c /etc/snort/snort.conf"
and then ctrl-c'd a little while later.  RIGHT when I did so, my ACID page
logged 3 UDP packets.  The signatures read "[snort] SCAN UPnP service
discover attempt" on UDP 1900.  There are 3 identical entries sourcing from
the Host Computer (XP) IP address.

Since then, however, I have never seen any more packets being logged. 

Can you help me, please?  I would be eternally grateful.  Please let me know
what output I can copy and paste for you to see.

Thanks, 

Ed 






More information about the Snort-users mailing list