[Snort-users] snort suddenly stopped to record events

Peter Bates peter.bates at ...15381...
Wed Jul 24 11:20:28 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 24/07/2013 15:00, Alex wrote:
> Now, in snort.conf I have 2 lines defined for output:
> 
> output unified2: filename merged.log, limit 128
> 
> and
> 
> output alert_syslog: LOG_AUTH LOG_ALERT

Yes - there are 2 lines, so you have defined 2 different outputs.

Are you trying to output to unified2 (the first line), or syslog, or both?

I'd recommend sticking to unified2 only
unless you only want to read alerts via syslog, and then
I'd use the second line.

Personally I'm writing to unified2 and then using BY2
to read from those files and output to syslog and a DB.

> Now, I've started snort as daemon and tried to generate some traffic again, 
> telneting another host from the same source (192.168.51.59)
> 
> telnet 192.168.51.100 80! Unfortunatelly, this time tcpdump will show and 
> record only arp request:
> 
> [root at ...4157... ~]# tcpdump -i eth4 -v host 192.168.51.59
> tcpdump: WARNING: eth4: no IPv4 address assigned
> tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 96 
> bytes
> 16:20:41.672663 arp who-has 192.168.51.59 tell 192.168.51.100

If tcpdump is not seeing your traffic on eth4 then that's nothing to do with Snort!

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR7/C8AAoJELhVoVpEMS6RlmkH/iR/3tbknhWYKgjijxtEwGim
gc5jJRy//OoGkv7HEF1bwhOE5tMxTk6Odt3tFMCtXxd71XsxY4OkG/XWuzvR5tIt
U88l3Qu8e7AVbWY2YgdqhPEhOC0GqfpOv6HkaOqVJbHsf+LGto3hbvCkzFlgTrO+
WhNhGFxmUZ7YHhUOcjhZxVFSFgiYD0FVkZpSW243MIe4ZdURscVDovo3nSU7g1tp
zCXVAgCYQO3t7jf9l0IcjKCsoOFHrUoae1DiU3Ej+IB5r9+oULKl3fwCJOY2jZyy
RJrhC2A8gKuJeg+UF7JlBzZY+CbCqU5LGXU0pIyEE8ev6xOKybdRrWkModuFHos=
=GynR
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list