Snort mailing list archives
RE: Help with a config file please?
From: snort () xiata com
Date: Fri, 4 Apr 2003 17:25:46 -0500 (EST)
Christopher, Ok I changed the conf to only send the log data to mysql I am trying to stick to the config that silicondefense.com puts out on http://www.silicondefense.com/support/windows/winsnortdocs/WinSnortIIS.pdf After re-reading that doc I also made a couple of other changes but so far no luck on detecting all the nmap stuff that I am sending. I am now able to see portscans going to the IP address of the snort device but still nothing comes up when I sweep on the other IPs that I need to monitor. When I run snort v i2 I see all the traffic going through that system (there is a lot of traffic so I cant simply see the portscan taking place). When I use windump and I narrow down the scope of it to only packets w/ a source of the machine that I am using to run nmap I am able to see those packets then so I know that the stuff is in fact getting to the snort device. I took a look @ the mysql and there is data there from the portscan that I sent to the ip address of the snort so at least the logging part is talking place in one way shape or form. For what is worth I have 2 nics on this system one to access the ACID console that only has TCP/IP bound & its firewalled (MS) and the second to run the monitor and that one has no bindings whatsoever. Any ideas at to where I screwed up this config a really welcomed. Carlos
Either send Snort log data to MySQL or alert data to MySQL but not both [0]. Q: Have you run Snort in its sniffer mode (e.g., snort -i1 -v) to see if the traffic from your scans and 'attacks' are even being seen by Snort? Q: Have you looked directly into the MySQL database to see if the Snort DB event table actually has any data in it? I'm not an ACID popper ;) so I cannot help you much w/ why ACID does not see any alerts, but from previous posts to this list, I can safely say that it's often best to rollback your config to something simpler, say alerting to a text file, while trying to diagnose Snort problems. - Christopher [0] - http://www.theadamsfamily.net/~erek/snort/logging_methods.txt
------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with a config file please? snort (Apr 03)
- <Possible follow-ups>
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? snort (Apr 04)
- RE: Help with a config file please? L. Christopher Luther (Apr 04)
- RE: Help with a config file please? snort (Apr 08)