[Snort-users] no IDS logs from snort
axel2078 at ...11827...
Thu Mar 7 00:21:04 EST 2013
I'm not too familiar with how snort works, so please go easy on me.
Here's the situation: I recently switched from Smoothwall Express as my
home firewall to IPfire. Why? I really just wanted to try something
newer and different. When I was running Smoothwall on the same exact
hardware, snort worked great and there were always entries in the IDS
logs. I installed IPfire on the same machine in mid February and
NOTHING has been logged by snort since it was installed. The IDS logs
are always blank. I have verified that snort is running and I have
downloaded rule sets from VRT. I already asked about this in the IPfire
forums, but since IPfire is German based, there weren't too many
responses to my English question, but here were some of the mostly
apathetic responses I got about my concern:
Snort is buggy.
Why do you want to use it?
You don't have enough RAM. (since when is 2GB not enough to run
snort....it ran fine on Smoothwall!)
You don't have enough rules selected.
You have too many rules selected.
You have the wrong rules selected.
Snort only logs the big stuff.
Only a few people besides myself seem to be concerned that snort doesn't
seem to be logging properly. One person even installed wireshark on
his IPfire system and had his IP port scanned and he found that
wireshark found and logged all of it and while the firewall blocked it
just fine, snort only logged about 2% of the attacks. He recently just
switched to Smoothwall per my recommendation and he is amazed at how
well snort works (after some tweaking) and how much it's logging. I'd
like to stay with IPfire because of it's built-in feature set, but I
really want to get snort logging properly. What do I need to provide to
you guys to help troubleshoot? I'm not even sure what version of snort
this is. If I run snort in test mode, it reports it as Version 2.9.4
GRE (Build 40) but the version listed at the top of the snort.conf file
is 188.8.131.52. Any help you guys could provide would be most appreciated.
More information about the Snort-users