[Snort-users] How to test if snort is properly functioning?

Joost Ringoot joost.ringoot at meteo.be
Thu Mar 14 04:35:21 EDT 2019


I have just set up snort and let it run with this command: 

snort -i ens224 -A fast -c /etc/snort/snort.conf 

It is running with this as last lines: 
Preprocessor Object: SF_GTP Version 1.1 <Build 1> 
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> 
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> 
Preprocessor Object: SF_DNS Version 1.1 <Build 4> 
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> 
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> 
Commencing packet processing (pid=31593) 

ens224 is a secondary network interface which is not configured with IP address, I think that is ok and preferred? 

But nothing gets logged 

I tried a couple nmaps to get something logged: 

nmap -sP 

even on the machine itself 

BTW: is the subnet that is on the primary interface configured, it is the same physical LAN as the secondary interface that I use for snort. 

I would expect that snort would log something about the portscan, but nothing. 

There are daily alert files in 

but they are empty 

Are my expectations wrong? 
What should I do for instance to get a portscan logged by snort? 

(BTW: pulled pork is installed and 
./pulledpork/pulledpork.pl -c /etc/pulledpork/pulledpork.conf 

ends with 
Please review /var/log/sid_changes.log for additional details 
Fly Piggy Fly! 

Thanks in advance, 

System Administrator 
Koninklijk Meteorologisch Instituut 
Institut Royal Météorologique 
Ringlaan 3 Avenue Circulaire 
1180 Brussel | Bruxelles 
+32 (0)2 373 06 75 
after office hours: 
+32 (0)2 373 06 83 

Pensez à l'environnement, n'imprimez ce mail que si nécessaire 
Denk aan het milieu, print deze mail niet af tenzij echt nodig 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190314/353f8577/attachment.html>

More information about the Snort-users mailing list