[Snort-users] Is snort working?

Al Lewis (allewi) allewi at cisco.com
Sun Feb 18 18:27:26 EST 2018


Is snort running on your workstation or another machine?

If on another machine how is traffic supposed to get into snort?

Is the traffic spanned to snort or is snort running inline?

Stop/start snort and look at the exit stats. Do you see traffic counts?


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com<mailto:allewi at cisco.com>
From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Lee Brown <leeb at ratnaling.org>
Date: Sunday, February 18, 2018 at 6:23 PM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: Re: [Snort-users] Is snort working?

Here's what I used to test with:  My workstation ping 8.8.8.8 triggers this.

alert icmp 10.1.10.175 any -> 8.8.8.8 any (msg:"warning1";sid:1000001;rev:1)

On Sun, Feb 18, 2018 at 2:59 PM, Al Lewis (allewi) via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>> wrote:
Are you sure that snort is seeing traffic correctly?

Write a custom rule and/or create some traffic or condition that will trigger a rule.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com<mailto:allewi at cisco.com>
From: Snort-users <snort-users-bounces at lists.snort.org<mailto:snort-users-bounces at lists.snort.org>> on behalf of bobby via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>
Reply-To: bobby <architectofthefuture at gmail.com<mailto:architectofthefuture at gmail.com>>
Date: Sunday, February 18, 2018 at 3:04 PM
To: "snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>" <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>
Subject: [Snort-users] Is snort working?

I am using the default registered user snort rules.  I have not modified the rules.  I noticed that my snort log has not been updated/growing.  I would think by default, many rules would be enabled, and the log would grow exponentially in size.  Am I wrong to assume this?

_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180218/e6bbc9c5/attachment.html>


More information about the Snort-users mailing list