[Snort-users] Test Snort

Márcio Erli marcioerli at ...11827...
Thu Aug 23 16:31:38 EDT 2012


Hi!
After my long adjustments SNORT is working as expected.

Would you like to help put him to work as IPS?

Thankful, Marcio.

2012/8/23 Tony Robinson <deusexmachina667 at ...11827...>

> Hey Marcio,
>
> I build a shell script called Autosnort around this install guide. So
> here's a couple of questions that may help you troubleshoot your deployment:
>
> 1) Where is your sensor deployed? are you giving snort traffic off of a
> span or tap? Have you ran /usr/local/snort/bin/snort -i [your sensing
> interface] to verify snort is seeing traffic? If you the text "commencing
> packet processing" followed by no further messages, either the span/tap
> isn't forward traffic to the interface properly, or the interface is set up
> properly. I didnt' see anywhere in the install guide where you had to
> configure the physical interface for promiscuous mode, but try doing so.
> 2) I'm assuming you've added snort and barnyard to rc.local per the
> install guide. Have you ran ps -ef | grep snort to ensure snort and
> barnyard are running?
> 3) I came to find in my tests that snort report wouldn't give me anything
> until the machine was rebooted after configuring everything for one reason
> or another. Have you rebooted your system since configuring everything per
> the install guide?
> 4) Can you verify that srconf.php has the snort database user and password
> set correctly?
> 5) Has barnyard2.conf been configured to log to the snort database and
> given correct credentials to drop information into the database? Check the
> output: log, mysql [user name, password, database name] to verify
> 6) does the snort user have permissions to do things to the snort
> database? test by running: mysql -usnort -p[snort user password, no space
> between -p and the actual password] snort -e "show tables;"  if this
> returns output the snort user has rights to view data in the snort database.
> 7) are the unfied2 files growing in size? These files should be located in
> /var/log/snort, should have the filename snort.u2.[epoch timestamp here].
> Do an ls -al and confirm your snort unified files are not zero bytes in
> size. If they are 0 bytes in size this indicates snort hasn't generated any
> alerts off of your traffic.
> 8) verify what HOME and EXTERNAL_NET are set to in snort.conf. Try setting
> both to "any" for testing purposes. Also try using backtrack or a system
> running metasploit to attack a system snort has visibility on to generate
> an alert or two.
>
> hope this helps,
>
> -Tony
>
> On Thu, Aug 23, 2012 at 10:32 AM, Márcio Erli <marcioerli at ...11827...>wrote:
>
>> I configured snort based on the documentation link
>> http://www.snort.org/assets/158/snortinstallguide293.pdf snort.org own
>> site.
>> Is not generating any alerts.
>> How to test if this is working?
>>
>> Thankful, Marcio.
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> --
> when does reality end? when does fantasy begin?
>



-- 
Atenciosamente,
Márcio Erli
Programador de Sist. de Computadores
Analista de Redes
E-Mail: marcioerli at ...15782...
Site: www.marcioerli.com.br
MSN: merlipaula at ...125...
Skype: merlipaula
Telefone: (31) 8864-4917
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120823/87f67a95/attachment.html>


More information about the Snort-users mailing list