Snort mailing list archives
Re: no IDS logs from snort
From: Ray Caparros <arcy24 () gmail com>
Date: Mon, 11 Mar 2013 14:02:40 -0400
Glad to know you got it working! On Mar 11, 2013 1:56 PM, "Kevin Thomas" <kpt2078 () gmail com> wrote:
All, I think this problem is resolved now. I deleted all of my snort rules under /etc/snort/rules and then I changed my source from "Sourcefire VRT for registered users" to "EmergingThreats.net Community rules" and then pulled the updates for the new rules, selected the rules I wanted to use, and then stopped and restarted snort. Not long afterward, it began writing to the /var/log/snort/alert file and guardian could finally act on the alerts. Next on the agenda is to find out why the guardian process keeps dieing and restarting automatically every 20 minutes or so, releasing all the IP blocks when it restarts. Thanks to everyone who offered insight/suggestions. Kevin On Mon, Mar 11, 2013 at 11:53 AM, waldo kitty <wkitty42 () windstream net>wrote:On 3/8/2013 17:44, Kevin Thomas wrote:This is the contents of the /etc/snort directory. The files owned byroot:root were created by me.-rw-r--r-- 1 root root 152 2013-03-06 18:13 readme.txt drwxr-xr-x 2 nobody nobody 12288 2013-03-06 23:37 rules -rw-r--r-- 1 nobody nobody 19506 2013-03-06 23:57 snort.conf -rw-r--r-- 1 nobody nobody 19506 2013-02-16 11:03 snort.conf.orig -rwxr-xr-x 1 root root 73 2013-03-06 18:38 snort-test.sh -rwxr-xr-x 1 root root 29 2013-03-07 00:01 start.sh -rwxr-xr-x 1 root root 28 2013-03-07 00:02 stop.sh -rw-r--r-- 1 nobody nobody 160606 2013-02-16 11:03 unicode.map -rw-r--r-- 1 root root 104 2013-03-07 00:03 varswhat are the contents of this vars file? what creates it? when?# taken from /etc/snort vars #ipvar HOME_NET any # Set up the external network addresses. Leave as "any" in mostsituationsipvar EXTERNAL_NET anyi ask about that vars file because it is referenced above... you did not post your entire snort.conf so i can't see if there's an "include /etc/snort/vars" line in it as is indicated there should be... i'm thinking that file may need to be nobody:nobody because snort is likely running as nobody... that's the way we do it anyway ;) ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- no IDS logs from snort Kevin Thomas (Mar 06)
- Re: no IDS logs from snort James Lay (Mar 07)
- Re: no IDS logs from snort Kevin Thomas (Mar 11)
- Re: no IDS logs from snort Kevin Thomas (Mar 08)
- Re: no IDS logs from snort Ray Caparros (Mar 09)
- Re: no IDS logs from snort waldo kitty (Mar 09)
- Re: no IDS logs from snort Kevin Thomas (Mar 08)
- Re: no IDS logs from snort waldo kitty (Mar 11)
- Re: no IDS logs from snort waldo kitty (Mar 11)
- Re: no IDS logs from snort Kevin Thomas (Mar 11)
- Re: no IDS logs from snort Ray Caparros (Mar 11)
- Re: no IDS logs from snort Joel Esler (Mar 11)
- Re: no IDS logs from snort waldo kitty (Mar 11)