[Snort-users] no IDS logs from snort

Ray Caparros arcy24 at ...11827...
Mon Mar 11 14:02:40 EDT 2013


Glad to know you got it working!
 On Mar 11, 2013 1:56 PM, "Kevin Thomas" <kpt2078 at ...11827...> wrote:

> All, I think this problem is resolved now.  I deleted all of my snort
> rules under /etc/snort/rules and then I changed my source from "Sourcefire
> VRT for registered users" to "EmergingThreats.net Community rules" and then
> pulled the updates for the new rules, selected the rules I wanted to use,
> and then stopped and restarted snort. Not long afterward, it began writing
> to the /var/log/snort/alert file and guardian could finally act on the
> alerts.  Next on the agenda is to find out why the guardian process keeps
> dieing and restarting automatically every 20 minutes or so, releasing all
> the IP blocks when it restarts.  Thanks to everyone who offered
> insight/suggestions.
>
> Kevin
>
>
> On Mon, Mar 11, 2013 at 11:53 AM, waldo kitty <wkitty42 at ...14940...>wrote:
>
>> On 3/8/2013 17:44, Kevin Thomas wrote:
>> > This is the contents of the /etc/snort directory.  The files owned by
>> root:root were created by me.
>> >
>> > -rw-r--r-- 1 root   root      152 2013-03-06 18:13 readme.txt
>> > drwxr-xr-x 2 nobody nobody  12288 2013-03-06 23:37 rules
>> > -rw-r--r-- 1 nobody nobody  19506 2013-03-06 23:57 snort.conf
>> > -rw-r--r-- 1 nobody nobody  19506 2013-02-16 11:03 snort.conf.orig
>> > -rwxr-xr-x 1 root   root       73 2013-03-06 18:38 snort-test.sh
>> > -rwxr-xr-x 1 root   root       29 2013-03-07 00:01 start.sh
>> > -rwxr-xr-x 1 root   root       28 2013-03-07 00:02 stop.sh
>> > -rw-r--r-- 1 nobody nobody 160606 2013-02-16 11:03 unicode.map
>> > -rw-r--r-- 1 root   root      104 2013-03-07 00:03 vars
>>
>> what are the contents of this vars file? what creates it? when?
>>
>> > # taken from /etc/snort vars
>> > #ipvar HOME_NET any
>> >
>> > # Set up the external network addresses. Leave as "any" in most
>> situations
>> > ipvar EXTERNAL_NET any
>>
>> i ask about that vars file because it is referenced above... you did not
>> post
>> your entire snort.conf so i can't see if there's an "include
>> /etc/snort/vars"
>> line in it as is indicated there should be...
>>
>> i'm thinking that file may need to be nobody:nobody because snort is
>> likely
>> running as nobody... that's the way we do it anyway ;)
>>
>>
>> ------------------------------------------------------------------------------
>> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
>> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
>> endpoint security space. For insight on selecting the right partner to
>> tackle endpoint security challenges, access the full report.
>> http://p.sf.net/sfu/symantec-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130311/ad5592ae/attachment.html>


More information about the Snort-users mailing list