[Snort-users] My BASE did not have any alerts

Adam Kliarsky 360air at ...5068...
Sun Apr 17 09:20:00 EDT 2005


Yeah, Nessus should produce all sorts of red on your base console
Ok, assuming you're on a *nix system, do the following

1. check for the running snort process ("ps -aux | grep snort")
You should see two entries if snort is running (one for the process, and one
for your ps query)
If snort is not running, start it up ("snort -c <path to snort.conf> -i
<interface>")

2. packet dump on the same interface to make sure libpcap is working and
capturing packets
 - "snort -dv -i <interface>" - this will display the packets to the screen
so you can check

3. check the logs to see if you are getting mysql login errors or other
similar
 - (/var/log/messages)

4. did you verify that you can login to MySQL with the user supplied in
snort.conf?

5. check base_conf.php:
 - $Dbtype = "mysql";
 - $alert_dbname = "snort";
 - $alert_host = "localhost";
 - $alert_user = "snort";
 - $alert_password = "your own password";

Let me know if that produces anything - 

Adam

-----Original Message-----
From: mr leokenzie [mailto:tenminustwo at ...125...] 
Sent: Sunday, April 17, 2005 8:38 AM
To: 360air at ...5068...
Subject: RE: [Snort-users] My BASE did not have any alerts

1. im not sure whether i started running snort, but i did run the database
2. I have not check whether theres error 3. output plugin is configured as
follows (output database: log, mysql, user=snort password=myown password
dbname=snort host=localhost) 4. what do you mean by dump on the interface to
ensure it receives the packet

When i scan nessus, does base actually shows the results and stats?
Thanks

>From: "Adam Kliarsky" <360air at ...5068...>
>Reply-To: <360air at ...5068...>
>To: "'mr leokenzie'" 
><tenminustwo at ...125...>,<snort-users at lists.sourceforge.net>
>Subject: RE: [Snort-users] My BASE did not have any alerts
>Date: Sat, 16 Apr 2005 18:37:26 -0700
>
>This could be related to several things - can you describe your system 
>(platform, db, etc)?
>- did you verify snort & database processes are running? Did you 
>restart them?
>- do you see any errors (/var/log/messages)
>- is the output plugin in snort.conf configured properly
>  (output database: log, mysql, user=??? password=??? dbname=???
>host=localhost)
>- did you dump on the interface to ensure you're receiving packets?
>
>
>-----Original Message-----
>From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of mr 
>leokenzie
>Sent: Friday, April 15, 2005 12:33 AM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] My BASE did not have any alerts
>
>What have I done wrong?
>I did a scan with nessus but when i go to my BASE website it did not 
>display anything.
>Why is that?
>I make it focus on port 80 and target it at my own ip address. Please 
>kindly Help.
>Thanks
>
>_________________________________________________________________
>Don't just search. Find. Check out the new MSN Search!
>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>
>
>-------------------------------------------------------
>SF email is sponsored by - The IT Product Guide Read honest & candid 
>reviews on hundreds of IT Products from real users.
>Discover which products truly live up to the hype. Start reading now.
>http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>-------------------------------------------------------
>SF email is sponsored by - The IT Product Guide Read honest & candid 
>reviews on hundreds of IT Products from real users.
>Discover which products truly live up to the hype. Start reading now.
>http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfeeR
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963





More information about the Snort-users mailing list