HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 50 guests online
 
Advertisement

You are here: Home arrow Resourcesarrow Toolsarrow Calling all Snort Pros!
EH-Net
May 21, 2013, 07:48:12 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Calling all Snort Pros!  (Read 5288 times)
0 Members and 1 Guest are viewing this topic.
Lubinski
Newbie
*
Offline Offline

Posts: 26


View Profile
« on: December 18, 2010, 04:15:38 PM »
I have setup snort inside a Cent box. It seems to run fine, outputs to base fine, but all of my alerts are of the unclassified type. See attached picture.

The only possibility that I know of / found is that I am running snort 2.9.0.2 with 2.9.0.1 rules. But I'm not sure about that. This is my first snort install.

I have even hit it with Nmap and nothing else shows up.

http://www.flickr.com/photos/lubinski/5272407480/
Logged
MaXe
Hero Member
*****
Offline Offline

Posts: 669


I've just upgraded myself to a cyborg muahahaa!!1


View Profile WWW
« Reply #1 on: December 19, 2010, 05:56:49 AM »
I haven't played much with snort, but have you checked the RAW logs which Snort outputs? It could be "BASE" not interpreting the logs in a correct way, since I assume that the rules hasn't changed much from 2.9.0.1 to 2.9.0.2

Did you try asking this question at: https://forums.snort.org/ ?

There is also a Snort emailing list, where you can submit emails to and get a much more appropriate response as well.

In essence, the problem is most likely located in:
A) BASE - The log parser / interpreter (likely)
B) The Snort rules (unlikely)
C) A setting within Snort, which you did not specify to your needs. (likely)

This is just my random guess at what seems to be most likely wrong.

To resolve problem C, check the user documentation. (It's quite long and well described.)
Logged
I'm an InterN0T'er
rdm
Newbie
*
Offline Offline

Posts: 9


View Profile
« Reply #2 on: December 20, 2010, 07:20:12 PM »
In your snort.conf file do you have all the rules enabled?  How do the snort logs look.  When snort starts it puts a ton of info in the log.  Look through it carefully, chances are you will find something there.
Logged
GCIH, GCIA, CEH, Security+
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 864



View Profile
« Reply #3 on: December 20, 2010, 08:09:27 PM »
I am not a Snort expert, but here are some good reading from Hackin9: http://hakin9.org/magazine/1576-hakin9-starterkit-snort-exposed
Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.067 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.