[Snort-users] no IDS logs from snort

Kevin Thomas axel2078 at ...11827...
Thu Mar 7 00:21:04 EST 2013

I'm not too familiar with how snort works, so please go easy on me. 
Here's the situation: I recently switched from Smoothwall Express as my 
home firewall to IPfire.  Why? I really just wanted to try something 
newer and different.  When I was running Smoothwall on the same exact 
hardware, snort worked great and there were always entries in the IDS 
logs.  I installed IPfire on the same machine in mid February and 
NOTHING has been logged by snort since it was installed.  The IDS logs 
are always blank.  I have verified that snort is running and I have 
downloaded rule sets from VRT.  I already asked about this in the IPfire 
forums, but since IPfire is German based, there weren't too many 
responses to my English question, but here were some of the mostly 
apathetic responses I got about my concern:

Snort is buggy.
Why do you want to use it?
You don't have enough RAM. (since when is 2GB not enough to run 
snort....it ran fine on Smoothwall!)
You don't have enough rules selected.
You have too many rules selected.
You have the wrong rules selected.
Snort only logs the big stuff.

Only a few people besides myself seem to be concerned that snort doesn't 
seem to be logging properly.   One person even installed wireshark on 
his IPfire system and had his IP port scanned and he found that 
wireshark found and logged all of it and while the firewall blocked it 
just fine, snort only logged about 2% of the attacks.  He recently just 
switched to Smoothwall per my recommendation and he is amazed at how 
well snort works (after some tweaking) and how much it's logging.  I'd 
like to stay with IPfire because of it's built-in feature set, but I 
really want to get snort logging properly.  What do I need to provide to 
you guys to help troubleshoot?  I'm not even sure what version of snort 
this is.  If I run snort in test mode, it reports it as Version 2.9.4 
GRE (Build 40) but the version listed at the top of the snort.conf file 
is  Any help you guys could provide would be most appreciated.  


More information about the Snort-users mailing list