[Snort-users] Snort 2.9.4.5 rules using pp

James Lay jlay at ...13475...
Tue Apr 23 07:14:48 EDT 2013


Let's see one of the rules, and what sdo your HOME_NET and EXTERNAL_NET look like?

James

On Apr 22, 2013, at 10:40 PM, Ashraf Ali <ashrafali.ibs at ...11827...> wrote:

> yes, if i use the command (snort -c /usr/local/snort/snort.conf -i eth0 -A)  and can see lots of traffic on the console but nothing is getting dump in the log file, it is still 0 Bytes.
> 
> i did a R&D , by creating a file called local.rules in the same rules folder and added a signature (alert tcp any any -> any any(msg:"Tcp traffic found" sid:1000001);
> in the snort.conf file i put a # before include statement of snort.rules line and added local.rules 
> later restarted both snort and barnyard2 Deamons , Guess what i can see log file filling up, and in GUI i can see the alerts.
> 
> There seems to be some problem with the snort.rules file which PP has created.
> 
> Regards,
> Ashraf
> Security System Engineer.
> 
> 
>  
> 
> 
> On Mon, Apr 22, 2013 at 9:37 PM, Y M <snort at ...15979...> wrote:
> If you run snort with -A console or -A cmg, do you see any alerts on the console?
> 
> Also run tcpdump against the interface you are listening from, simply
> 
> tcpdump -i ethX -v
> 
> Do you see any traffic? Replace ethX with your interface.
> From: Ashraf Ali
> Sent: 4/22/2013 3:37 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort 2.9.4.5 rules using pp
> 
> Hi All,
> 
> recently i have deployed snort in ubuntu 12.04 using Autosnort , during the installation PP asked for Oinkcode ,as i am a registered user so i have provided the same.
> After completion of the installation, i have seen that snort and barnyard2 services are running in Deamon mode, and in /var/log/snort folder a file with name snort.u2.1366**** is also created but empty(0 bytes).
> 
> -rw-r--r--  1 snort snort    2056 Apr 22 17:54 barnyard2.waldo
> -rw-------  1 snort snort         0 Apr 22 17:54 snort.u2.136662*****
> 
> there is a single rules file called snort.rules in /usr/local/snort/rules folder which has all the downloaded snort rules, and same is included in the snort.conf file.  
> Even i have run the snort in test mode using -T , it does not shows up any problem, its working fine but not generating any logs.
> 
> I have formated the server , and re-installed every thing manually this time. still the same problem. file is getting created but no logs.
> 
> pls Advice.
> 
> Ashraf
> Security System Egnineer
> 
>  
> 
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service 
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130423/32d8652f/attachment.html>


More information about the Snort-users mailing list