Snort mailing list archives
Re: Test Snort
From: Tony Robinson <deusexmachina667 () gmail com>
Date: Thu, 23 Aug 2012 13:45:11 -0400
Hey Marcio, I build a shell script called Autosnort around this install guide. So here's a couple of questions that may help you troubleshoot your deployment: 1) Where is your sensor deployed? are you giving snort traffic off of a span or tap? Have you ran /usr/local/snort/bin/snort -i [your sensing interface] to verify snort is seeing traffic? If you the text "commencing packet processing" followed by no further messages, either the span/tap isn't forward traffic to the interface properly, or the interface is set up properly. I didnt' see anywhere in the install guide where you had to configure the physical interface for promiscuous mode, but try doing so. 2) I'm assuming you've added snort and barnyard to rc.local per the install guide. Have you ran ps -ef | grep snort to ensure snort and barnyard are running? 3) I came to find in my tests that snort report wouldn't give me anything until the machine was rebooted after configuring everything for one reason or another. Have you rebooted your system since configuring everything per the install guide? 4) Can you verify that srconf.php has the snort database user and password set correctly? 5) Has barnyard2.conf been configured to log to the snort database and given correct credentials to drop information into the database? Check the output: log, mysql [user name, password, database name] to verify 6) does the snort user have permissions to do things to the snort database? test by running: mysql -usnort -p[snort user password, no space between -p and the actual password] snort -e "show tables;" if this returns output the snort user has rights to view data in the snort database. 7) are the unfied2 files growing in size? These files should be located in /var/log/snort, should have the filename snort.u2.[epoch timestamp here]. Do an ls -al and confirm your snort unified files are not zero bytes in size. If they are 0 bytes in size this indicates snort hasn't generated any alerts off of your traffic. 8) verify what HOME and EXTERNAL_NET are set to in snort.conf. Try setting both to "any" for testing purposes. Also try using backtrack or a system running metasploit to attack a system snort has visibility on to generate an alert or two. hope this helps, -Tony On Thu, Aug 23, 2012 at 10:32 AM, Márcio Erli <marcioerli () gmail com> wrote:
I configured snort based on the documentation link http://www.snort.org/assets/158/snortinstallguide293.pdf snort.org own site. Is not generating any alerts. How to test if this is working? Thankful, Marcio. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- when does reality end? when does fantasy begin?
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Test Snort Márcio Erli (Aug 23)
- Re: Test Snort Tony Robinson (Aug 23)
- Re: Test Snort Márcio Erli (Aug 23)
- Re: Test Snort Tony Robinson (Aug 23)