Snort mailing list archives
Re: How to test if snort is properly functioning?
From: Joost Ringoot <joost.ringoot () meteo be>
Date: Thu, 28 Mar 2019 09:29:33 +0100 (CET)
I can recommend this tutorial: [ https://upcloud.com/community/tutorials/installing-snort-on-centos/ | https://upcloud.com/community/tutorials/installing-snort-on-centos/ ] very fast hands on, works, just a few extra
From: "Joost Ringoot" <joost.ringoot () meteo be> To: "snort-users" <snort-users () lists snort org> Sent: Thursday, 14 March, 2019 09:35:21 Subject: [Snort-users] How to test if snort is properly functioning?
Hello,
I have just set up snort and let it run with this command:
snort -i ens224 -A fast -c /etc/snort/snort.conf
It is running with this as last lines: Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Commencing packet processing (pid=31593)
ens224 is a secondary network interface which is not configured with IP address, I think that is ok and preferred?
But nothing gets logged
I tried a couple nmaps to get something logged:
eg: nmap -sP 192.168.15.0/24
even on the machine itself
BTW: 192.168.15.0/24 is the subnet that is on the primary interface configured, it is the same physical LAN as the secondary interface that I use for snort.
I would expect that snort would log something about the portscan, but nothing.
There are daily alert files in /var/log/snort
but they are empty
Are my expectations wrong? What should I do for instance to get a portscan logged by snort?
(BTW: pulled pork is installed and ./pulledpork/pulledpork.pl -c /etc/pulledpork/pulledpork.conf
ends with Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly! )
Thanks in advance,
KMI - IRM Joost RINGOOT System Administrator Koninklijk Meteorologisch Instituut Institut Royal Météorologique Ringlaan 3 Avenue Circulaire 1180 Brussel | Bruxelles +32 (0)2 373 06 75 after office hours: +32 (0)2 373 06 83 [ https://www.meteo.be/ | www.meteo.be ] [ https://www.facebook.com/kmi.be/ ] [ https://www.facebook.com/www.meteo.be/ ]
Pensez à l'environnement, n'imprimez ce mail que si nécessaire Denk aan het milieu, print deze mail niet af tenzij echt nodig [ http://ec.europa.eu/environment/emas/register/search/registration.do?registrationId=582580 ]
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- How to test if snort is properly functioning? Joost Ringoot (Mar 14)
- Re: How to test if snort is properly functioning? Joost Ringoot (Mar 28)
- Re: How to test if snort is properly functioning? Joel Esler (jesler) via Snort-users (Mar 28)
- Re: How to test if snort is properly functioning? Joost Ringoot (Mar 28)