[Snort-users] How to verify snort functionality

Joel Esler jesler at ...1935...
Sun Apr 12 12:12:28 EDT 2009


Doesn't look like you have triggered any alerts.  You might try something
like metasploit.
J

On Sun, Apr 12, 2009 at 11:54 AM, David Kingsly <davidkingsly at ...3147...>wrote:

>
>
> I see snort running:
> root at ...14543...:/etc/snort# ps aux |  grep snort
> snort    14473  7.1  7.1 144468 110520 ?       Ss   18:52   0:05 snort
> -c /etc/snort/snort.conf -u snort -g snort -D
> root     30336  0.0  0.1   6464  2564 pts/0    S+   12:50   0:00 mysql
> -u snort -p snort
> root at ...14543...:/etc/snort#
>
> Now I want to verify that alerts are triggered, and sent to log
> directory, and the database.  So I installed nmap on a different machine
> connected to snort box through a hub, and I issued the command nmap
> x.x.x.x ( ip of my snort machine ).  I do not see anything in my
> database or the alerts directory located at /var/log/snort.    Is there
> anywhere I forgot to look?  Something I need to disable?  ( I disabled
> the linux firewall through firestarter )
>
> mysql> show tables;
> +------------------+
> | Tables_in_snort  |
> +------------------+
> | data             |
> | detail           |
> | encoding         |
> | event            |
> | icmphdr          |
> | iphdr            |
> | opt              |
> | reference        |
> | reference_system |
> | schema           |
> | sensor           |
> | sig_class        |
> | sig_reference    |
> | signature        |
> | tcphdr           |
> | udphdr           |
> +------------------+
> 16 rows in set (0.00 sec)
>
> mysql> select * from data;
> Empty set (0.00 sec)
>
> mysql>
>
> *****************************
>
> root at ...14543...:/var/log/snort# more alert
> root at ...14543...:/var/log/snort# ls
> alert  snort.log.1239490353
> root at ...14543...:/var/log/snort# more snort.log.1239490353
> root at ...14543...:/var/log/snort#
>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090412/fc710d6b/attachment.html>


More information about the Snort-users mailing list