Snort mailing list archives
Re: snort woes
From: Jim Starke <jstarke () ptd net>
Date: Sat, 11 Aug 2001 12:03:14 -0400
Phil Wood wrote: >Replace "log" with "alert" in the output database: conf specification > Also, I take it when you go to the ACID web interface, that all looks > good with the exception that all counters are zero?I replaced "log" with "alert" and still no luck. I've double checked that my firewall isn't blocking the http port accidently. I see the code red entries being entered in my http log. But still nothing is going into the mysql database. I ran snort with -v to verify that it is actually seeing packets.
Here is a code red II connection that didnt' get logged. Maybe my code red rules are incorrect? I copied and pasted them right off of incidents.org though.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/11-11:50:27.496109 24.42.160.18:3965 -> 24.229.xxx.xxx:80 TCP TTL:116 TOS:0x0 ID:24940 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE96299A1 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/11-11:50:27.817138 24.42.160.18:3965 -> 24.229.xxx.xxx:80 TCP TTL:116 TOS:0x0 ID:24958 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xE96299A2 Ack: 0xEA8B48BB Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/11-11:50:27.947248 24.42.160.18:3965 -> 24.229.xxx.xxx:80 TCP TTL:116 TOS:0x0 ID:24959 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xE96299A2 Ack: 0xEA8B48BB Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/11-11:50:28.036829 24.42.160.18:3965 -> 24.229.xxx.xxx:80 TCP TTL:116 TOS:0x0 ID:24960 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xE9629F56 Ack: 0xEA8B48BB Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/11-11:50:28.306585 24.42.160.18:3965 -> 24.229.xxx.xxx:80 TCP TTL:116 TOS:0x0 ID:24980 IpLen:20 DgmLen:938 DF ***AP*** Seq: 0xE962A50A Ack: 0xEA8B48BB Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/11-11:50:28.593381 24.42.160.18:3965 -> 24.229.xxx.xxx:80 TCP TTL:116 TOS:0x0 ID:25022 IpLen:20 DgmLen:40 DF *****R** Seq: 0xE962A88C Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/11-11:50:28.596387 24.42.160.18:3965 -> 24.229.xxx.xxx:80 TCP TTL:116 TOS:0x0 ID:25023 IpLen:20 DgmLen:40 *****R** Seq: 0xE962A88C Ack: 0xE962A88C Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+I'm not using the ACID web interface, just the mysql database at the moment. Once I have snort adding to the mysql database, I'll add ACID.
-- Quidquid latine dictum sit, altum viditur. http://www.jcsmall.com/homepage _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort woes Jim Starke (Aug 10)
- Re: snort woes Phil Wood (Aug 10)
- Re: snort woes Jim Starke (Aug 11)
- Re: snort woes J. C. Woods (Aug 11)
- Re: snort woes Jed Pickel (Aug 11)
- Re: snort woes Jim Starke (Aug 11)
- Re: snort woes Jim Starke (Aug 11)
- Re: snort woes Phil Wood (Aug 10)
- Re: snort woes (update) Jim Starke (Aug 11)
- RE: snort woes (update) John Berkers (Aug 11)
- Re: snort woes (update) Jim Starke (Aug 11)
- RE: snort woes (update) John Berkers (Aug 11)
- RE: snort woes (update) John Berkers (Aug 11)