Re: How to test if snort is properly functioning?

["Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>]

Joost,

We would be interested in having your content submitted to live on the Documentation page on Snort.org 
<http://snort.org/> if you are interested.

> On Mar 28, 2019, at 1:29 AM, Joost Ringoot <joost.ringoot () meteo be> wrote:
>
>
> I can recommend this tutorial: 
> https://upcloud.com/community/tutorials/installing-snort-on-centos/ 
> <https://upcloud.com/community/tutorials/installing-snort-on-centos/>
>
> very fast hands on, works, just a few extra
>
> From: "Joost Ringoot" <joost.ringoot () meteo be>
> To: "snort-users" <snort-users () lists snort org>
> Sent: Thursday, 14 March, 2019 09:35:21
> Subject: [Snort-users] How to test if snort is properly functioning?
> Hello,
>
> I have  just set up snort and let it run with this command:
>
> snort -i ens224 -A fast -c /etc/snort/snort.conf
>
> It is running with this as last lines:
> Preprocessor Object: SF_GTP Version 1.1 <Build 1>
> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
> Preprocessor Object: SF_DNS Version 1.1 <Build 4>
> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
> Commencing packet processing (pid=31593)
>
>
> ens224 is a secondary network interface which is not configured with IP address, I think that is ok and preferred?
>
>
> But nothing gets logged
>
> I tried a couple nmaps to get something logged:
>
> eg: 
> nmap -sP 192.168.15.0/24 
>
> even on the machine itself
>
> BTW: 192.168.15.0/24 is the subnet that is on the primary interface configured, it is the same physical LAN as the 
> secondary interface  that I use for snort.
>
> I would expect that snort would log something about the portscan, but nothing.
>
> There are daily alert files in 
> /var/log/snort
>
> but they are empty
>
>
> Are my expectations wrong? 
> What should I do for instance to get a portscan logged by snort?
>
>
>
>
> (BTW: pulled pork is installed and 
> ./pulledpork/pulledpork.pl -c /etc/pulledpork/pulledpork.conf 
>
> ends with 
> Done
> Please review /var/log/sid_changes.log for additional details
> Fly Piggy Fly!
> )
>
>
>
> Thanks in advance,
>
>
>
>
>
> KMI - IRM
> Joost RINGOOT
> System Administrator
> Koninklijk Meteorologisch Instituut
> Institut Royal Météorologique
> Ringlaan 3 Avenue Circulaire
> 1180 Brussel | Bruxelles
> +32 (0)2 373 06 75
> after office hours: 
> +32 (0)2 373 06 83
> www.meteo.be <https://www.meteo.be/> <https://www.facebook.com/kmi.be/> <https://www.facebook.com/www.meteo.be/>
> Pensez à l'environnement, n'imprimez ce mail que si nécessaire
> Denk aan het milieu, print deze mail niet af tenzij echt nodig 
> <http://ec.europa.eu/environment/emas/register/search/registration.do?registrationId=582580>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
>       To unsubscribe, send an email to:
>       snort-users-leave () lists snort org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Attachment: smime.p7s
Description:

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette