Snort mailing list archives
RE: New Install
From: "Michael Steele" <michaels () silicondefense com>
Date: Wed, 19 Jun 2002 22:10:57 -0700
Bill, Make sure your rules are being detected. Run this from a command prompt Snort -c full_path\snort.conf -l full_path\logs The output will tell you if it's reading in the rules. You will need to CTRL/C to exit. Michael Steele | System Engineer / System Administrator mailto:michaels () silicondefense com http://www.silicondefense.com -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Infinity Sent: June 19, 2002 5:29 PM To: Michael Steele Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] New Install Thanks for the quick response. I have a logs directory in place. Problem is that even though I scan my SNORT Sensor with LANGuard the ONLY alerts i see in alert.ids are X.11 traffic being shown as generated from SNORT sensor --> scanning machine. The port scan, Netbios Enum, Proxy check etc... are not showing up in the IDS log. Shouldnt var HOME_NET any and var EXTERNAL_NET any and all the standard snort.conf include statements insure various triggers should show up in my alerts.ids file? I'm just wondering why the traffic from the scanning machine is not being ID'd by the rule sets. The inteface sees it because with -dev I see it on my screen. Thanks Michael. ~Bill --- Michael Steele <michaels () silicondefense com> wrote:
Infinity, Create a folder c:\logs Cd to wherever you have snort and run this line: Snort -c snort.conf -l c:\logs Start snort and you should have an alert.ids file in the new logs folder -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Infinity Sent: Wednesday, June 19, 2002 3:03 PM To: snort-users () lists sourceforge net Subject: [Snort-users] New Install Hello list: A New install of Snort Version 1.8.7b119 - Windows Release on Win2k Server. No modifications of snort.conf. Run from command line as follows > snort -dev -c snort.conf *Side Note: I had the same snort -W problem as several other posters. I traced it to my Cisco VPN Client,which I had uninstall. After I uninstalled the VPN client - No Problem. The VPN client had no affect on Sniffer Pro,or ethereal. I had a similar problem on a machine that was using PGP* My question: I see all traffic on screen when I scan the snort sensor. But no alerts are logged. Using LANGuard Network Scanner to scan the SNORT sensor, it only catches four X.11 events. It does not catch the NetBios enumerations, port scans, etc. It doesnt even trigger when i run a ping -t against it. According to the ICMP rules, shouldnt that at least trigger an alert? Shouldn't this vanilla install trigger like Mad? With HOME_NET any and EXTERNAL_NET any?? I see the traffic scrolling up my screen, so the interface is catching the packets. I CTL C the session and the summary shows 4 alerts (ALL X.11 alerts) And the traffic in the alert log file is shown as having originated from the snort machine -> scanning machine. HELP!!! I'm a first time user, I've read through all the docs, and I thought my snort install should be going nuts when I scan it. :( TIA. __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
------------------------------------------------------------------------
---- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New Install Infinity (Jun 19)
- RE: New Install Michael Steele (Jun 19)
- RE: New Install Infinity (Jun 19)
- RE: New Install Michael Steele (Jun 19)
- RE: New Install Infinity (Jun 19)
- RE: New Install Infinity (Jun 19)
- RE: New Install Michael Steele (Jun 19)