Snort mailing list archives

Re: snort woes

From: Jim Starke <jstarke () ptd net>
Date: Sat, 11 Aug 2001 12:03:14 -0400

Phil Wood wrote:

>Replace "log" with "alert" in the output database: conf specification

> Also, I take it when you go to the ACID web interface, that all looks
> good with the exception that all counters are zero?

I replaced "log" with "alert" and still no luck. I've double checkedthat my firewall isn't blocking the http port accidently. I see the codered entries being entered in my http log. But still nothing is goinginto the mysql database. I ran snort with -v to verify that it isactually seeing packets.

Here is a code red II connection that didnt' get logged. Maybe my codered rules are incorrect? I copied and pasted them right off ofincidents.org though.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/11-11:50:27.496109 24.42.160.18:3965 -> 24.229.xxx.xxx:80
TCP TTL:116 TOS:0x0 ID:24940 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE96299A1  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/11-11:50:27.817138 24.42.160.18:3965 -> 24.229.xxx.xxx:80
TCP TTL:116 TOS:0x0 ID:24958 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xE96299A2  Ack: 0xEA8B48BB  Win: 0x4470  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/11-11:50:27.947248 24.42.160.18:3965 -> 24.229.xxx.xxx:80
TCP TTL:116 TOS:0x0 ID:24959 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE96299A2  Ack: 0xEA8B48BB  Win: 0x4470  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/11-11:50:28.036829 24.42.160.18:3965 -> 24.229.xxx.xxx:80
TCP TTL:116 TOS:0x0 ID:24960 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE9629F56  Ack: 0xEA8B48BB  Win: 0x4470  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/11-11:50:28.306585 24.42.160.18:3965 -> 24.229.xxx.xxx:80
TCP TTL:116 TOS:0x0 ID:24980 IpLen:20 DgmLen:938 DF
***AP*** Seq: 0xE962A50A  Ack: 0xEA8B48BB  Win: 0x4470  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/11-11:50:28.593381 24.42.160.18:3965 -> 24.229.xxx.xxx:80
TCP TTL:116 TOS:0x0 ID:25022 IpLen:20 DgmLen:40 DF
*****R** Seq: 0xE962A88C  Ack: 0x0  Win: 0x0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/11-11:50:28.596387 24.42.160.18:3965 -> 24.229.xxx.xxx:80
TCP TTL:116 TOS:0x0 ID:25023 IpLen:20 DgmLen:40
*****R** Seq: 0xE962A88C  Ack: 0xE962A88C  Win: 0x0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

I'm not using the ACID web interface, just the mysql database at themoment. Once I have snort adding to the mysql database, I'll add ACID.


--
Quidquid latine dictum sit, altum viditur.
http://www.jcsmall.com/homepage


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort woes Jim Starke (Aug 10)
- Re: snort woes Phil Wood (Aug 10)
  - Re: snort woes Jim Starke (Aug 11)
    - Re: snort woes J. C. Woods (Aug 11)
    - Re: snort woes Jed Pickel (Aug 11)
    - Re: snort woes Jim Starke (Aug 11)
- Re: snort woes (update) Jim Starke (Aug 11)
  - RE: snort woes (update) John Berkers (Aug 11)
    - Re: snort woes (update) Jim Starke (Aug 11)
  - RE: snort woes (update) John Berkers (Aug 11)