Snort mailing list archives
Empty alert file, but big snort log and event database
From: Alain Tésio <alain () onesite org>
Date: Wed, 13 Jun 2001 14:00:49 -0500
Hi, Here is the content from /var/log/snort : 20:05:45 root /var/log/snort #ls -l total 1592 -rw------- 1 snort snort 988 May 26 16:44 0526 () 1624-snort log -rw------- 1 root root 24 May 26 19:38 0526 () 1938-snort log -rw------- 1 root root 24 May 26 19:39 0526 () 1939-snort log -rw------- 1 root root 24 Jun 1 20:03 0601 () 2003-snort log -rw------- 1 root root 268 Jun 1 20:07 0601 () 2005-snort log -rw------- 1 root root 24 Jun 1 20:08 0601 () 2008-snort log -rw------- 1 root root 24 Jun 1 20:11 0601 () 2011-snort log -rw------- 1 root root 268 Jun 1 20:28 0601 () 2027-snort log -rw------- 1 root root 1587939 Jun 13 19:35 0609 () 0109-snort log -rw------- 1 snort snort 0 May 26 16:23 alert -rw------- 1 snort snort 0 May 26 16:23 portscan.log -rw------- 1 snort snort 24 May 26 16:24 snort-0526 () 1623 log Snort is now running as root : 20:05:47 root /var/log/snort #ps -eaf | grep snort root 29893 1 0 Jun09 ? 00:00:32 snort -c /etc/snort/snort.conf -D Why is there nothing in the file alert ? I'm using the default configuration for snort 1.6 installed from source on Linux Debian 2.2 The number of rows for each table in the mysql database is : data 13911 detail 2 encoding 3 event 13935 icmphdr 13906 iphdr 13935 opt 96 sensor 1 tcphdr 24 udphdr 5 The kind of events are : mysql> select distinct signature from event ; +--------------------------------------------------------------------------+ | signature | +--------------------------------------------------------------------------+ | ICMP Destination Unreachable (Communication Administratively Prohibited) | | ICMP Destination Unreachable (Host Unreachable) | | ICMP Destination Unreachable (Port Unreachable) | | ICMP Echo Reply | | ICMP Echo Request | | ICMP Echo Request BSDtype | | ICMP Echo Request Windows | | ICMP Time-To-Live Exceeded in Transit | | ICMP traceroute | | MISC source port 53 to <1024 | | RPC portmap request rstatd | | SCAN Proxy attempt | +--------------------------------------------------------------------------+ 13 rows in set (0.54 sec) I didn't find an answer in the manuals to this question : how can I get some more informations from this data ? Thanks, Alain _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Empty alert file, but big snort log and event database Alain Tésio (Jun 13)