Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Initial snort.conf

From: Nick Moore <nmoore () sourcefire com>
Date: Thu, 27 Jan 2011 10:03:55 -0600
Vishesh,

Are you trying to test your preprocessor or your logging?

If your concern is the logging, I would suggest creating a simple rule to
alert on your workstation browsing to a particular web site. That way you
can be sure that you are triggering the rule and that your logging is
working as expected. Also, once you've verified that everything is working,
disable the rule.

I can't comment on Scapy. Perhaps others on the list may have more insight.


Happy Snorting!

Nick

On Thu, Jan 27, 2011 at 9:55 AM, vishesh kumar <linuxtovishesh () gmail com>wrote:


I am newbie in snort. I written following lines in snort.conf
 ipvar HOME_NET 192.168.1.0
 ipvar EXTERNAL_NET any
 preprocessor stream5_global : max_tcp 8192, track_tcp yes, track_udp
no,track_icmp no
 preprocessor stream5_tcp : detect_anomalies

Then i started snort with following command
 root#snort -c snort.conf -l /var/log/snort -A fast

But problem is that nothing is getting logged in /var/log/snort/alert,
even though i am sending forged SYN request using scapy. I tried
multiple invlaid TCP sessions but nothing get logged .
What may be the error?

Thanks

--
http://linuxmantra.com


------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better
price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM    nickgmoore (Yahoo)
       nickgmoore38 (AIM)

    ,,_
   o"  )~   Sourcefire - The Creators of Snort
    ''''

www.sourcefire.com         www.snort.org

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: