[Snort-users] snort

Nick Moore nmoore at ...1935...
Fri Mar 2 10:25:47 EST 2012


Jagan,

Are you seeing traffic that would generate any events besides ICMP events?
The snort.conf doesn't seem to contain any problems that I can catch at a
glance.

A good way to test your policy is to download some sample pcaps from
http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=Publicly_available_PCAP_filesand
test your snort instance with them, using:

snort -c c:\snort\snort.conf -r c:\pcap\sample.pcap

assuming that you put your downloaded pcap file in the path c:\pcap and
named it sample.pcap. I used the W32/Sdbot infected machine pcap and with a
standard set of rules got one alert.

Also, please cc the entire list on replies, not just me. You'll get faster
responses that way.

Thanks!

Nick

On Fri, Mar 2, 2012 at 6:26 AM, Jagan Mohan Reddy D <
jagan.mohan507 at ...11827...> wrote:

> Nick,
>
> Thanks for your reply.....!!!!!!!!
>
> Now i'm running fine at some point of time......
>
> I'm running SNORT on WIN by the following command...
>
> C:\snort\bin> snort -dev -c C:\snort\etc\snot.conf
>
> I my log file i'm able to logging only ICMP packets....
>
> Why the snort stores only the ICMP packets in the log file, why not
> others.....?
>
> Here i'm attaching my log file as well as snort.conf......!
>
>
> can please tell me, any thing wrong with my conf file....
>
>
> ----------------
> Thanks & Regards
> D J M Reddy
>
>
>
> On 14 February 2012 18:19, Nick Moore <nmoore at ...1935...> wrote:
>
>> Jagan,
>>
>> My guess is that your snort.conf file contains a reference to
>> log/merged.log. Since the "/" is used in linux/unix systems and the "\" is
>> used in Windows, you should find that reference in snort.conf and edit it
>> to match the proper file name and path on your system.
>>
>> Also, please consider moving to linux/unix. Shared object rules are not
>> available for Windows and this leaves you unprotected against a number of
>> threats.
>>
>> If you need more specific help, please also consider attaching your
>> snort.conf file to these requests. It will likely speed up response time
>> and give those that would help more information.
>>
>> Happy Snorting,
>>
>> Nick
>>
>> On Tue, Feb 14, 2012 at 6:23 AM, Jagan Mohan Reddy D <
>> jagan.mohan507 at ...11827...> wrote:
>>
>>> I am runing snort on WIN XP
>>>
>>> I am executing snort with Mysql.....
>>>
>>> While runing snort on win XP, i got the following error...
>>>
>>> C:\snort\bin> snort -c C:\Snort\etc\snort.conf
>>>
>>>
>>> +----------------------------------------------------------------
>>> [ Number of patterns truncated to 20 bytes: 1012 ]
>>> pcap DAQ configured to passive.
>>> Acquiring network traffic from
>>> "\Device\NPF_{D2775E7F-A95E-4DC5-AB8D-CCFE1A2DF92
>>> 6}".
>>> Decoding Ethernet
>>> ERROR: C:\Documents and Settings\Administrator\My
>>> Documents\snortbuild\snort-2.9
>>> .1.2\src\output-plugins\spo_unified2.c(302) Could not open
>>> log/merged.log: No such file or directory
>>> Fatal Error, Quitting..
>>>
>>> I am unable to locate the that path in my system...
>>>
>>> whats wrong with my Snort....?
>>>
>>> Can any one reply me.....
>>>
>>> ----------------
>>> Thanks & records
>>> D J M Reddy
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Keep Your Developer Skills Current with LearnDevNow!
>>> The most comprehensive online learning library for Microsoft developers
>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>> http://p.sf.net/sfu/learndevnow-d2d
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>>
>> --
>> Nick Moore, SFCE, CISSP, CISA
>> Sr. Systems Engineer
>> Voice 708-336-9041
>> Email nick.moore at ...1935...
>> IM    nickgmoore (Yahoo)
>>        nickgmoore38 (AIM)
>>
>>     ,,_
>>    o"  )~   Sourcefire - The Creators of Snort
>>     ''''
>>
>> www.sourcefire.com         www.snort.org     www.immunet.com
>>
>>
>


-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore at ...1935...
IM    nickgmoore (Yahoo)
       nickgmoore38 (AIM)

    ,,_
   o"  )~   Sourcefire - The Creators of Snort
    ''''

www.sourcefire.com         www.snort.org     www.immunet.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120302/bf457408/attachment.html>


More information about the Snort-users mailing list