Snort mailing list archives

Re: How to verify snort functionality

From: Joel Esler <jesler () sourcefire com>
Date: Sun, 12 Apr 2009 12:12:28 -0400

Doesn't look like you have triggered any alerts.  You might try something
like metasploit.
J

On Sun, Apr 12, 2009 at 11:54 AM, David Kingsly <davidkingsly () verizon net>wrote:



I see snort running:
root@thunder:/etc/snort# ps aux |  grep snort
snort    14473  7.1  7.1 144468 110520 ?       Ss   18:52   0:05 snort
-c /etc/snort/snort.conf -u snort -g snort -D
root     30336  0.0  0.1   6464  2564 pts/0    S+   12:50   0:00 mysql
-u snort -p snort
root@thunder:/etc/snort#

Now I want to verify that alerts are triggered, and sent to log
directory, and the database.  So I installed nmap on a different machine
connected to snort box through a hub, and I issued the command nmap
x.x.x.x ( ip of my snort machine ).  I do not see anything in my
database or the alerts directory located at /var/log/snort.    Is there
anywhere I forgot to look?  Something I need to disable?  ( I disabled
the linux firewall through firestarter )

mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| data             |
| detail           |
| encoding         |
| event            |
| icmphdr          |
| iphdr            |
| opt              |
| reference        |
| reference_system |
| schema           |
| sensor           |
| sig_class        |
| sig_reference    |
| signature        |
| tcphdr           |
| udphdr           |
+------------------+
16 rows in set (0.00 sec)

mysql> select * from data;
Empty set (0.00 sec)

mysql>

*****************************

root@thunder:/var/log/snort# more alert
root@thunder:/var/log/snort# ls
alert  snort.log.1239490353
root@thunder:/var/log/snort# more snort.log.1239490353
root@thunder:/var/log/snort#




------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Real noob question craig bowser (Apr 02)
- Re: Real noob question matt donovan (Apr 02)
- Re: Real noob question Greg Bowser (Apr 02)
- Re: Real noob question Joel Esler (Apr 02)
- Re: Real noob question JJ Cummings (Apr 02)
  - how to run snort from different linux directories David Kingsly (Apr 05)
    - How to verify snort functionality David Kingsly (Apr 12)
    - Re: How to verify snort functionality Joel Esler (Apr 12)
  - Message not available
    - Re: how to run snort from different linux directories Nathaniel Richmond (Apr 05)