Network Security: Detailed info on Re: [Snort-users] No Alerts Being Generated

Subject:	Re: [Snort-users] No Alerts Being Generated
Date:	Wed, 29 Sep 2004 16:56:46 -0400

Well the first thing I see in your file is the EXTERNAL_NET variable is set
to any. You might want to set that to !$HOME_NET for a start.

Second, you can run snort -T -c /etc/snort/snort.conf to test your snort
configuration.

Next thing is to make sure your snort box is listening on a span port of a
switch or a tap or a hub (probably not using one in your case I think) and
that the span port/tap is configured correctly.

Then, if possible, you could try generating some traffic that Snort should
alert on, like maybe a web request for ftp.pl which should set off sid
1107. You could run some nessus tests or just do it manually with a
straightforward http://www.yourwebhost.org/ftp.pl or pick some other simple
rule to test.

On  0, snort-users-request@lists.sourceforge.net allegedly wrote:

   3. No Alerts Being Generated (Kaplan, Andrew H.)

--__--__--

Message: 3
From: "Kaplan, Andrew H." <AHKAPLAN@PARTNERS.ORG>
To: "Snort User Group (E-mail)" <snort-users@lists.sourceforge.net>
Date: Wed, 29 Sep 2004 15:35:26 -0400
Subject: [Snort-users] No Alerts Being Generated

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_000_01C4A65B.7895D89C
Content-Type: text/plain;
      charset="iso-8859-1"

I completed installing snort 2.2.0 (build 30) and have begun running it. The
ACID GUI and /var/log/snort/alert files have not shown any alerts
even though the program has been running for over an hour. To verify there 
were
no syntax errors in the snort.conf file, I ran the following:

snort -c /etc/snort/snort.conf

There were no errors and warnings, and the program appears to be running
properly. Where in snort.conf and elsewhere, should I check for 
configuration mistakes? I have included the snort.conf file here. Thanks.

 <<snort.conf.29sept04.txt>> 

--__--__--

 
+-----------------------------------------------------------------+
    Nigel Houghton      Research Engineer       Sourcefire Inc.
                  Vulnerability Research Team

 Cat: "Forget red - let's go all the way up to brown alert!"
 Kryten: "There's no such thing as a brown alert sir."
 Cat: "You won't be saying that in a minute!"


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] No Alerts Being Generated, Kaplan, Andrew H. RE: [Snort-users] No Alerts Being Generated, Matthew K. Lee Re: [Snort-users] No Alerts Being Generated, Nigel Houghton <= RE: [Snort-users] No Alerts Being Generated, Kaplan, Andrew H. RE: [Snort-users] No Alerts Being Generated, Matthew K. Lee RE: [Snort-users] No Alerts Being Generated, Shawn Kottke

Previous by Date:	Re: [Snort-users] packet loss, Jose Maria Lopez
Next by Date:	[Snort-users] TR: Snort-Gui Editing Rules, Raffael Maio
Previous by Thread:	RE: [Snort-users] No Alerts Being Generated, Matthew K. Lee
Next by Thread:	RE: [Snort-users] No Alerts Being Generated, Kaplan, Andrew H.
Indexes:	[Date] [Thread] [Top] [All Lists]