[Snort-users] How to test if snort is properly functioning?

Joost Ringoot joost.ringoot at meteo.be
Thu Mar 28 04:29:33 EDT 2019


I can recommend this tutorial: 
[ https://upcloud.com/community/tutorials/installing-snort-on-centos/ | https://upcloud.com/community/tutorials/installing-snort-on-centos/ ] 

very fast hands on, works, just a few extra 

> From: "Joost Ringoot" <joost.ringoot at meteo.be>
> To: "snort-users" <snort-users at lists.snort.org>
> Sent: Thursday, 14 March, 2019 09:35:21
> Subject: [Snort-users] How to test if snort is properly functioning?

> Hello,

> I have just set up snort and let it run with this command:

> snort -i ens224 -A fast -c /etc/snort/snort.conf

> It is running with this as last lines:
> Preprocessor Object: SF_GTP Version 1.1 <Build 1>
> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
> Preprocessor Object: SF_DNS Version 1.1 <Build 4>
> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
> Commencing packet processing (pid=31593)

> ens224 is a secondary network interface which is not configured with IP address,
> I think that is ok and preferred?

> But nothing gets logged

> I tried a couple nmaps to get something logged:

> eg:
> nmap -sP 192.168.15.0/24

> even on the machine itself

> BTW: 192.168.15.0/24 is the subnet that is on the primary interface configured,
> it is the same physical LAN as the secondary interface that I use for snort.

> I would expect that snort would log something about the portscan, but nothing.

> There are daily alert files in
> /var/log/snort

> but they are empty

> Are my expectations wrong?
> What should I do for instance to get a portscan logged by snort?

> (BTW: pulled pork is installed and
> ./pulledpork/pulledpork.pl -c /etc/pulledpork/pulledpork.conf

> ends with
> Done
> Please review /var/log/sid_changes.log for additional details
> Fly Piggy Fly!
> )

> Thanks in advance,

> KMI - IRM
> Joost RINGOOT
> System Administrator
> Koninklijk Meteorologisch Instituut
> Institut Royal Météorologique
> Ringlaan 3 Avenue Circulaire
> 1180 Brussel | Bruxelles
> +32 (0)2 373 06 75
> after office hours:
> +32 (0)2 373 06 83
> [ https://www.meteo.be/ | www.meteo.be ]
> [ https://www.facebook.com/kmi.be/ ] [ https://www.facebook.com/www.meteo.be/ ]

> Pensez à l'environnement, n'imprimez ce mail que si nécessaire
> Denk aan het milieu, print deze mail niet af tenzij echt nodig
> [
> http://ec.europa.eu/environment/emas/register/search/registration.do?registrationId=582580
> ]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190328/2007639e/attachment.html>


More information about the Snort-users mailing list