Snort mailing list archives

Re: Snort not alerting although tcpdump shows packet

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 17 Apr 2015 13:08:54 +0000

See the manual on IDS mode: http://manual.snort.org/node6.html

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Kumarswamy H N (kumhn)
Sent: Friday, April 17, 2015 8:06 AM
To: Gaurav Srivastava; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort not alerting although tcpdump shows packet

Snort will only alert if your traffic  matches any of the snort rules with action set to alert. So you must provide a 
configuration file which includes an appropriate rule to alert for your traffic.  To start with, you can add a simple 
rule to snort.conf that matches your traffic or enable appropriate rule protocol-icmp.rules .



Regards,
Kumar

From: Gaurav Srivastava [mailto:gaurav.srivastava7 () gmail com]
Sent: Friday, April 17, 2015 5:16 PM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Snort not alerting although tcpdump shows packet

Dear all,

I have a strange issue. I am running snort to observe traffic mirrored from another VM.
But Snort is not alerting. To verify whether the packets are received or not I did a tcpdump using following command

sudo tcpdump -w icmp.pcap -i eth0 icmp

And when I read the file using snort using below command:

snort -r icmp.pcap

It displays the ICMP packet logs. But the alert was not generated when snort was running.

Please suggest. I am stuck here.


Thanks and Regards,
Gaurav

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort not alerting although tcpdump shows packet Gaurav Srivastava (Apr 17)
- Re: Snort not alerting although tcpdump shows packet Kumarswamy H N (kumhn) (Apr 17)
  - Re: Snort not alerting although tcpdump shows packet Al Lewis (allewi) (Apr 17)