[Snort-users] How to verify snort functionality

David Kingsly davidkingsly at ...3147...
Sun Apr 12 11:54:36 EDT 2009



I see snort running:
root at ...14543...:/etc/snort# ps aux |  grep snort
snort    14473  7.1  7.1 144468 110520 ?       Ss   18:52   0:05 snort
-c /etc/snort/snort.conf -u snort -g snort -D
root     30336  0.0  0.1   6464  2564 pts/0    S+   12:50   0:00 mysql
-u snort -p snort
root at ...14543...:/etc/snort# 

Now I want to verify that alerts are triggered, and sent to log
directory, and the database.  So I installed nmap on a different machine
connected to snort box through a hub, and I issued the command nmap
x.x.x.x ( ip of my snort machine ).  I do not see anything in my
database or the alerts directory located at /var/log/snort.    Is there
anywhere I forgot to look?  Something I need to disable?  ( I disabled
the linux firewall through firestarter ) 

mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| data             | 
| detail           | 
| encoding         | 
| event            | 
| icmphdr          | 
| iphdr            | 
| opt              | 
| reference        | 
| reference_system | 
| schema           | 
| sensor           | 
| sig_class        | 
| sig_reference    | 
| signature        | 
| tcphdr           | 
| udphdr           | 
+------------------+
16 rows in set (0.00 sec)

mysql> select * from data;
Empty set (0.00 sec)

mysql> 

*****************************

root at ...14543...:/var/log/snort# more alert 
root at ...14543...:/var/log/snort# ls
alert  snort.log.1239490353
root at ...14543...:/var/log/snort# more snort.log.1239490353 
root at ...14543...:/var/log/snort# 






More information about the Snort-users mailing list