Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort Problems

From: "Patrick S. Harper" <patrick () internetsecurityguru com>
Date: Thu, 21 Oct 2004 20:59:16 -0500
I am not sure if the Vmware is doing anything.  You might want to send this
to the list.  I am forwarding it that way with the reply



Patrick S. Harper | CISSP RHCT MCSE
www.internetsecurityguru.com

www.ntsug.org - Snort Users Group

"If there is no light at the end of the tunnel, get down there and light the
damn thing yourself!"
 
-----Original Message-----
From: Edward Sohn [mailto:edwardsohn () yahoo com] 
Sent: Thursday, October 21, 2004 8:19 PM
To: patrick () internetsecurityguru com
Subject: Snort Problems

Hi Patrick, 

I am a Snort and Linux newbie, and I appreciate your Snort installation
guide.  I'm having problems, however... 

I have everything installed and running on Fedora Core 2 in VMWare 4.5.2 on
Windows XP in bridged mode. 

I can see Snort working when I run it in verbose (I can see the packet
captures) 
I have the Snort.conf file logging to MySQL and then displaying in ACID. 

The problem is that I cannot see any entries in MySQL, and thus, nothing is
showing in ACID. 

I created a test.rules file and used "alert tcp any any -> any any..." and
saved it in the rules folder.  I then ran "snort -c test.rules" and nothing
happened (this ran cleanly, BTW).

You may think that there might be a problem with Snort not logging to MySQL,
but one time (and one time only) I ran a "snort -c /etc/snort/snort.conf"
and then ctrl-c'd a little while later.  RIGHT when I did so, my ACID page
logged 3 UDP packets.  The signatures read "[snort] SCAN UPnP service
discover attempt" on UDP 1900.  There are 3 identical entries sourcing from
the Host Computer (XP) IP address.

Since then, however, I have never seen any more packets being logged. 

Can you help me, please?  I would be eternally grateful.  Please let me know
what output I can copy and paste for you to see.

Thanks, 

Ed 




-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: