[Snort-users] How to test if snort is properly functioning?

Joost Ringoot joost.ringoot at meteo.be
Thu Mar 14 04:35:21 EDT 2019


Hello, 

I have just set up snort and let it run with this command: 

snort -i ens224 -A fast -c /etc/snort/snort.conf 

It is running with this as last lines: 
Preprocessor Object: SF_GTP Version 1.1 <Build 1> 
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> 
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> 
Preprocessor Object: SF_DNS Version 1.1 <Build 4> 
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> 
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> 
Commencing packet processing (pid=31593) 


ens224 is a secondary network interface which is not configured with IP address, I think that is ok and preferred? 


But nothing gets logged 

I tried a couple nmaps to get something logged: 

eg: 
nmap -sP 192.168.15.0/24 

even on the machine itself 

BTW: 192.168.15.0/24 is the subnet that is on the primary interface configured, it is the same physical LAN as the secondary interface that I use for snort. 

I would expect that snort would log something about the portscan, but nothing. 

There are daily alert files in 
/var/log/snort 

but they are empty 


Are my expectations wrong? 
What should I do for instance to get a portscan logged by snort? 




(BTW: pulled pork is installed and 
./pulledpork/pulledpork.pl -c /etc/pulledpork/pulledpork.conf 

ends with 
Done 
Please review /var/log/sid_changes.log for additional details 
Fly Piggy Fly! 
) 



Thanks in advance, 





KMI - IRM 
Joost RINGOOT 
System Administrator 
Koninklijk Meteorologisch Instituut 
Institut Royal Météorologique 
Ringlaan 3 Avenue Circulaire 
1180 Brussel | Bruxelles 
+32 (0)2 373 06 75 
after office hours: 
+32 (0)2 373 06 83 
www.meteo.be 


Pensez à l'environnement, n'imprimez ce mail que si nécessaire 
Denk aan het milieu, print deze mail niet af tenzij echt nodig 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190314/353f8577/attachment.html>


More information about the Snort-users mailing list