.

Calling all Snort Pros!

<<

Lubinski

Newbie
Newbie

Posts: 26

Joined: Fri Dec 03, 2010 1:34 pm

Post Sat Dec 18, 2010 5:15 pm

Calling all Snort Pros!

I have setup snort inside a Cent box. It seems to run fine, outputs to base fine, but all of my alerts are of the unclassified type. See attached picture.

The only possibility that I know of / found is that I am running snort 2.9.0.2 with 2.9.0.1 rules. But I'm not sure about that. This is my first snort install.

I have even hit it with Nmap and nothing else shows up.

http://www.flickr.com/photos/lubinski/5272407480/
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sun Dec 19, 2010 6:56 am

Re: Calling all Snort Pros!

I haven't played much with snort, but have you checked the RAW logs which Snort outputs? It could be "BASE" not interpreting the logs in a correct way, since I assume that the rules hasn't changed much from 2.9.0.1 to 2.9.0.2

Did you try asking this question at: https://forums.snort.org/ ?

There is also a Snort emailing list, where you can submit emails to and get a much more appropriate response as well.

In essence, the problem is most likely located in:
A) BASE - The log parser / interpreter (likely)
B) The Snort rules (unlikely)
C) A setting within Snort, which you did not specify to your needs. (likely)

This is just my random guess at what seems to be most likely wrong.

To resolve problem C, check the user documentation. (It's quite long and well described.)
I'm an InterN0T'er
<<

rdm

User avatar

Newbie
Newbie

Posts: 9

Joined: Wed Sep 15, 2010 5:44 pm

Post Mon Dec 20, 2010 8:20 pm

Re: Calling all Snort Pros!

In your snort.conf file do you have all the rules enabled?  How do the snort logs look.  When snort starts it puts a ton of info in the log.  Look through it carefully, chances are you will find something there.
GCIH, GCIA, GSNA, CEH, Security+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Dec 20, 2010 9:09 pm

Re: Calling all Snort Pros!

I am not a Snort expert, but here are some good reading from Hackin9: http://hakin9.org/magazine/1576-hakin9- ... rt-exposed
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Tools

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software