Snort mailing list archives
Re: Initial snort.conf
From: Nick Moore <nmoore () sourcefire com>
Date: Thu, 27 Jan 2011 10:03:55 -0600
Vishesh, Are you trying to test your preprocessor or your logging? If your concern is the logging, I would suggest creating a simple rule to alert on your workstation browsing to a particular web site. That way you can be sure that you are triggering the rule and that your logging is working as expected. Also, once you've verified that everything is working, disable the rule. I can't comment on Scapy. Perhaps others on the list may have more insight. Happy Snorting! Nick On Thu, Jan 27, 2011 at 9:55 AM, vishesh kumar <linuxtovishesh () gmail com>wrote:
I am newbie in snort. I written following lines in snort.conf ipvar HOME_NET 192.168.1.0 ipvar EXTERNAL_NET any preprocessor stream5_global : max_tcp 8192, track_tcp yes, track_udp no,track_icmp no preprocessor stream5_tcp : detect_anomalies Then i started snort with following command root#snort -c snort.conf -l /var/log/snort -A fast But problem is that nothing is getting logged in /var/log/snort/alert, even though i am sending forged SYN request using scapy. I tried multiple invlaid TCP sessions but nothing get logged . What may be the error? Thanks -- http://linuxmantra.com ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Nick Moore, SFCE, CISSP, CISA Sr. Systems Engineer Voice 708-336-9041 Email nick.moore () sourcefire com IM nickgmoore (Yahoo) nickgmoore38 (AIM) ,,_ o" )~ Sourcefire - The Creators of Snort '''' www.sourcefire.com www.snort.org
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Initial snort.conf vishesh kumar (Jan 27)
- Re: Initial snort.conf Nick Moore (Jan 27)