[Snort-users] No Logging No Output No Data

Russ Combs rcombs at ...1935...
Thu Aug 26 16:41:37 EDT 2010


On Thu, Aug 26, 2010 at 3:51 PM, Greg Lane <greglane at ...14965...>wrote:

>  I have snort installed on a Ubuntu 10.04 box and I have gone over config
> files and everything I can think of at least 10 times.  I cannot get help on
> the forums and can’t seem to find anything in the forum that remotely gives
> a solution.  I have followed 2 different methods of install and still I have
> nothing as far as alerts or just plain traffic in BASE.  I have mirrored
> port on the outside interface of my router and have run wireshark to confirm
> that I have activity on that mirrored port yet I’m still getting nothing in
> BASE.  I have run Tcpdump and seen traffic on the interface.  I have did a
> capture with Wireshark and analyzed the data with Netwitness yet I still
> have no data BASE.  The only thing that I seen as a problem and researched
> and found out was not a problem was when I start Snort after it completes
> the initialization it says NOT USING PCAP_FRAMES.  So  I would really
> appreciate if somebody could possibly tell me what the problem is because I
> have posted on forums and get no feedback.
>

Greg,

I feel your pain!  Take heart, it's inherently not a simple task.  We'll
have to break this down Barney style to isolate the problem.

For starters, when you stop Snort, do you see any packet counts?  If not,
are you sniffing the correct interfaces, do you have a bad BPF, etc.

If Snort is seeing the traffic, are you getting any alerts?  Run with -A cmg
and see if anything pops up on the console.

If still nothing, are checksums a problem?  Try running with -k none to
disable.

Report back if you're stuck and we'll see what we can do.

Russ


>
>
> Snort 2.8.6.1
>
> BASE 1.3.9
>
> MySQL
>
>
>
>
>
> *Greg Lane*
>
> *IT Manager*
>
> *Lane Enterprises*
>
>
>
> *Email:*  greglane at ...14965...
>
> *Phone:* (228)872-2414
>
>
>
>
> ------------------------------------------------------------------------------
> Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
> Be part of this innovative community and reach millions of netbook users
> worldwide. Take advantage of special opportunities to increase revenue and
> speed time-to-market. Join now, and jumpstart your future.
> http://p.sf.net/sfu/intel-atom-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100826/38daeca9/attachment.html>


More information about the Snort-users mailing list