Re: No tcpdump or alert logging

[Joel Esler <jesler () sourcefire com>]

Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users


On Apr 17, 2012, at 5:22 AM, Jim <greenja9 () cableone net> wrote:

> please take me off of the mailing list for now?
>
> From: Christian Gebler [mailto:geblerc () googlemail com] 
> Sent: Tuesday, April 17, 2012 3:46 AM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] No tcpdump or alert logging
>
> Hello,
>
> i am trying to set up Snort v2.9.2 on Ubuntu Server 10.04 LTS. I used the documents from the Snort website for that, 
> and followed them thru the whole Snort, Snortrules, daq and libdnet installation.
> Now Snort works fine without any Errors and in verbose mode i can see that snort take a look at my LAN. It also said 
> "it's all good" if i run it with the commandline-option "-T".
>
> But i also want to log the Tcpdumps and alerts, i use syslog and pcab for that in the snort.conf:
>
> 526 # syslog
> 527 output alert_syslog: LOG_AUTH LOG_INFO
> 528 
> 529 # pcap
> 530 output log_tcpdump: tcpdump.log
>
> If i start Snort with the following options:
>
> /usr/local/snort/bin/snort -u snort -g snort -d -l /var/log/snort -c /usr/local/snort/etc/snort.conf -i eth0
>
> Snort Creates the file "tcpdump.log.1334228358", but thats it. No logging into this file, it is just a 0Kb file.
>
> On my system is an older version of Snort from the Ubuntu apt-get package-system, if i use this version, it works 
> fine with logging and so on...But it is the 2.8 version of Snort and i won't use it.
>
>
> Here is my Snort terminal output: http://paste.kde.org/458414/
>
>
>
> Thanks for your help!
> ------------------------------------------------------------------------------
> Better than sec? Nothing is better than sec when it comes to
> monitoring Big Data applications. Try Boundary one-second 
> resolution app monitoring today. Free.
> http://p.sf.net/sfu/Boundary-dev2dev_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!