[Snort-users] How to test if snort is properly functioning?

Joel Esler (jesler) jesler at cisco.com
Thu Mar 28 17:57:33 EDT 2019


Joost,

We would be interested in having your content submitted to live on the Documentation page on Snort.org <http://snort.org/> if you are interested.

> On Mar 28, 2019, at 1:29 AM, Joost Ringoot <joost.ringoot at meteo.be> wrote:
> 
> 
> I can recommend this tutorial: 
> https://upcloud.com/community/tutorials/installing-snort-on-centos/ <https://upcloud.com/community/tutorials/installing-snort-on-centos/>
> 
> very fast hands on, works, just a few extra
> 
> From: "Joost Ringoot" <joost.ringoot at meteo.be>
> To: "snort-users" <snort-users at lists.snort.org>
> Sent: Thursday, 14 March, 2019 09:35:21
> Subject: [Snort-users] How to test if snort is properly functioning?
> Hello,
> 
> I have  just set up snort and let it run with this command:
> 
> snort -i ens224 -A fast -c /etc/snort/snort.conf
> 
> It is running with this as last lines:
> Preprocessor Object: SF_GTP Version 1.1 <Build 1>
> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
> Preprocessor Object: SF_DNS Version 1.1 <Build 4>
> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
> Commencing packet processing (pid=31593)
> 
> 
> ens224 is a secondary network interface which is not configured with IP address, I think that is ok and preferred?
> 
> 
> But nothing gets logged
> 
> I tried a couple nmaps to get something logged:
> 
> eg: 
> nmap -sP 192.168.15.0/24 
> 
> even on the machine itself
> 
> BTW: 192.168.15.0/24 is the subnet that is on the primary interface configured, it is the same physical LAN as the secondary interface  that I use for snort.
> 
> I would expect that snort would log something about the portscan, but nothing.
> 
> There are daily alert files in 
> /var/log/snort
> 
> but they are empty
> 
> 
> Are my expectations wrong? 
> What should I do for instance to get a portscan logged by snort?
> 
> 
> 
> 
> (BTW: pulled pork is installed and 
> ./pulledpork/pulledpork.pl -c /etc/pulledpork/pulledpork.conf 
> 
> ends with 
> Done
> Please review /var/log/sid_changes.log for additional details
> Fly Piggy Fly!
> )
> 
> 
> 
> Thanks in advance,
> 
> 
> 
> 
> 
> KMI - IRM
> Joost RINGOOT
> System Administrator
> Koninklijk Meteorologisch Instituut
> Institut Royal Météorologique
> Ringlaan 3 Avenue Circulaire
> 1180 Brussel | Bruxelles
> +32 (0)2 373 06 75
> after office hours: 
> +32 (0)2 373 06 83
> www.meteo.be <https://www.meteo.be/> <https://www.facebook.com/kmi.be/> <https://www.facebook.com/www.meteo.be/>
> Pensez à l'environnement, n'imprimez ce mail que si nécessaire
> Denk aan het milieu, print deze mail niet af tenzij echt nodig <http://ec.europa.eu/environment/emas/register/search/registration.do?registrationId=582580>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
> 
> 	To unsubscribe, send an email to:
> 	snort-users-leave at lists.snort.org
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190328/52834328/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3010 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190328/52834328/attachment.bin>


More information about the Snort-users mailing list