Re: UDP alerts not logging

[Phil Wood <cpw () lanl gov>]

On Tue, Dec 04, 2001 at 11:43:26PM -0200, Alex Rodrigues wrote:
> Hi.
> My snort aren't loggin UDP packet, only TCP and ICMP. I'm using
> snort -dev -h xxx.xxx.xxx.xxx/24 -l /var/log/snort -c snort.conf
> Where is my mistake?

There is nothing on the command line that has anything to do with udp, tcp,
or icmp.  You need to look in two places.  

  1. Check the rules that are being used in snort.conf (or the files "included")
     for any udp rules that you expect to trigger.

  2. Check your network:

     run tcpdump -i <your-network-interface> -n udp

Maybe you don't have any udp %^).  And if you do, it is not triggering any
rules.  You can always add a rule like:

  alert udp any any -> any any (msg: "ANY UDP, remove this rule"; classtype:not-suspicious;)

As always, include as much information about your situation as possible.
Otherwise, we start to iterate on what most likely is a simple problem.

> Thanks.
> Alex
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users