[Snort-users] no IDS logs from snort

waldo kitty wkitty42 at ...14940...
Mon Mar 11 18:20:41 EDT 2013


On 3/11/2013 12:52, Kevin Thomas wrote:
> All, I think this problem is resolved now.  I deleted all of my snort rules
> under /etc/snort/rules and then I changed my source from "Sourcefire VRT for
> registered users" to "EmergingThreats.net Community rules" and then pulled the
> updates for the new rules, selected the rules I wanted to use, and then stopped
> and restarted snort. Not long afterward, it began writing to the
> /var/log/snort/alert file and guardian could finally act on the alerts.  Next on
> the agenda is to find out why the guardian process keeps dieing and restarting
> automatically every 20 minutes or so, releasing all the IP blocks when it
> restarts.  Thanks to everyone who offered insight/suggestions.

interesting... however, i don't think it was the VRT rules at fault...

i gotta wonder what version of guardian that is they are running on ipfire now...

as for guardian restarting, i've seen that before when a monitoring tool was set 
to ensure that guardian was running but the wrong pid file was used... so the 
monitoring tool would not see the pid it was expecting (because guardian was 
using a differently named one) and it would stop guardian and restart it with 
the stopstart script every 20 minutes because that was how often the monitoring 
tool was set for...







More information about the Snort-users mailing list