RE: Snort won't log anything! Please help...

["Kalteis, Nico (Contractor)" <Nico.Kalteis () ed gov>]

By the way, I just noticed this:  When I simply use the rule
 
alert any any -> any any
 
Snort logs just fine.  It sets up a whole separate folder for any IP address
it talks to.
 
But the moment I add ANYTHING behind that line containing a signature it
just sits there and does nothing.  Specifically, I tried this with a simple
"cmd.exe" rule.  Then I kept cutting down the signature part until all i was
left with was (content:"cmd.exe";) but to no avail.  Can anybody tell me why
it will log packets but not if I include a signature it's supposed to match?
 
Thanks!
 
Nico

-----Original Message-----
From: Kalteis, Nico (Contractor) [mailto:Nico.Kalteis () ed gov]
Sent: Friday, March 28, 2003 11:43 AM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Snort won't log anything! Please help...



Hello everyone! 

I just upgraded to Snort 1.9.1. It's sitting on a W2K Advanced Server box.
Just running snort in verbose mode is working just fine.  It displays ARP
packets and also whenever I send it a bogus request for cmd.exe, just to get
a rise out of it.  So that all works.  What doesn't work is the logging bit.
the alert.ids file stays empty.  When I modified the snort.conf file to use
output plug in to log to a file called snort.alert it actually produced the
file in my log directory right where i wanted it, but inside the file was
just about a dozen characters of gibberish, but no actual logs.  Snort
startup says it processed so and so many rules files and everything is just
peachy, but i can't get it to log.

Any ideas?  Your help is much appreciated. 

Cheers! 

Nico 


Nico C. Kalteis, MCSE, MCP+I
Senior Technology Consultant
c/o
National Center for Education Statistics
1990 K Street, NW
Room 9007
Washington, D.C. 20006
Ph.: 202-502-7884
Em.: nico.kalteis () ed gov