[Snort-users] How to test if snort is properly functioning?
joost.ringoot at meteo.be
Thu Mar 14 04:35:21 EDT 2019
I have just set up snort and let it run with this command:
snort -i ens224 -A fast -c /etc/snort/snort.conf
It is running with this as last lines:
Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Commencing packet processing (pid=31593)
ens224 is a secondary network interface which is not configured with IP address, I think that is ok and preferred?
But nothing gets logged
I tried a couple nmaps to get something logged:
nmap -sP 192.168.15.0/24
even on the machine itself
BTW: 192.168.15.0/24 is the subnet that is on the primary interface configured, it is the same physical LAN as the secondary interface that I use for snort.
I would expect that snort would log something about the portscan, but nothing.
There are daily alert files in
but they are empty
Are my expectations wrong?
What should I do for instance to get a portscan logged by snort?
(BTW: pulled pork is installed and
./pulledpork/pulledpork.pl -c /etc/pulledpork/pulledpork.conf
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
Thanks in advance,
KMI - IRM
Koninklijk Meteorologisch Instituut
Institut Royal Météorologique
Ringlaan 3 Avenue Circulaire
1180 Brussel | Bruxelles
+32 (0)2 373 06 75
after office hours:
+32 (0)2 373 06 83
Pensez à l'environnement, n'imprimez ce mail que si nécessaire
Denk aan het milieu, print deze mail niet af tenzij echt nodig
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users