[Snort-users] No Alerts Being Generated

Nigel Houghton nigel at ...1935...
Wed Sep 29 13:59:09 EDT 2004


Well the first thing I see in your file is the EXTERNAL_NET variable is set
to any. You might want to set that to !$HOME_NET for a start.

Second, you can run snort -T -c /etc/snort/snort.conf to test your snort
configuration.

Next thing is to make sure your snort box is listening on a span port of a
switch or a tap or a hub (probably not using one in your case I think) and
that the span port/tap is configured correctly.

Then, if possible, you could try generating some traffic that Snort should
alert on, like maybe a web request for ftp.pl which should set off sid
1107. You could run some nessus tests or just do it manually with a
straightforward http://www.yourwebhost.org/ftp.pl or pick some other simple
rule to test.

On  0, snort-users-request at lists.sourceforge.net allegedly wrote:
>    3. No Alerts Being Generated (Kaplan, Andrew H.)
> 
> --__--__--
> 
> Message: 3
> From: "Kaplan, Andrew H." <AHKAPLAN at ...10063...>
> To: "Snort User Group (E-mail)" <snort-users at lists.sourceforge.net>
> Date: Wed, 29 Sep 2004 15:35:26 -0400
> Subject: [Snort-users] No Alerts Being Generated
> 
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
> 
> ------_=_NextPart_000_01C4A65B.7895D89C
> Content-Type: text/plain;
> 	charset="iso-8859-1"
> 
> I completed installing snort 2.2.0 (build 30) and have begun running it. The
> ACID GUI and /var/log/snort/alert files have not shown any alerts
> even though the program has been running for over an hour. To verify there were
> no syntax errors in the snort.conf file, I ran the following:
> 
> snort -c /etc/snort/snort.conf
> 
> There were no errors and warnings, and the program appears to be running
> properly. Where in snort.conf and elsewhere, should I check for 
> configuration mistakes? I have included the snort.conf file here. Thanks.
> 
>  <<snort.conf.29sept04.txt>> 
> 
> --__--__--
> 
 
+-----------------------------------------------------------------+
    Nigel Houghton      Research Engineer       Sourcefire Inc.
                  Vulnerability Research Team

 Cat: "Forget red - let's go all the way up to brown alert!"
 Kryten: "There's no such thing as a brown alert sir."
 Cat: "You won't be saying that in a minute!"




More information about the Snort-users mailing list