View previous topic :: View next topic |
Author |
Message |
Caines n00b
Joined: 11 Apr 2005 Posts: 8
|
Posted: Mon Apr 11, 2005 2:36 am Post subject: Snort - Alert log file remains empty |
|
|
Hi.. I went to several "test my firewall" webpages, did the scans but nothing comes out into /var/log/snort/alert except maybe a few redundant entries in the folders of /var/log/snort/192.168.0.* & 192.168.1.0. I've chown-ed the whole /var/log/snort/ directory. I'm only running snort, no ACID or MySQL as an intrusion detection system. Here is my config.
Quote: | # Config file for /etc/init.d/snort
# This tell snort which interface to listen on (any for every interface)
IFACE=any
# Make sure this matches your IFACE
PIDFILE=/var/run/snort_$IFACE.pid
# You probably don't want to change this, but in case you do
LOGDIR="/var/log/snort"
# Probably not this either
CONF=/etc/snort/snort.conf
# This pulls in the options above
SNORT_OPTS="-A fast -D -s -u snort -dev -i $IFACE -l $LOGDIR -c $CONF" |
Is there another way to test, to force an entry into the alert log file?
Also, although I put a "-D" variable, it runs as a process, not daemon. I could grep it. Is that normal?
Uber noob here for guidance. *bow* |
|
Back to top |
|
|
d_m Guru
Joined: 12 Jun 2003 Posts: 570 Location: Philadelphia, PA, USA
|
Posted: Mon Apr 11, 2005 5:52 am Post subject: |
|
|
Here are some things to check:
1. Are any snort processes running? Try "ps ax | grep snort"
2. Is the service running properly? As root, try "/etc/init.d/snort status" (if it isn't started, use /etc/init.d/snort start to try starting it. To have it start by default, run "rc-update add snort default")
3. Are there any errors in the applicable log files? /var/log/messages and any file in /var/log/snort would be the places to look. _________________ The name that can be named is not the eternal name. |
|
Back to top |
|
|
Caines n00b
Joined: 11 Apr 2005 Posts: 8
|
Posted: Mon Apr 11, 2005 8:55 am Post subject: |
|
|
d_m wrote: | Here are some things to check:
1. Are any snort processes running? Try "ps ax | grep snort" |
Yup, one instance is running.
Quote: | 2. Is the service running properly? As root, try "/etc/init.d/snort status" (if it isn't started, use /etc/init.d/snort start to try starting it. To have it start by default, run "rc-update add snort default") |
It says, status: started.
Quote: | 3. Are there any errors in the applicable log files? /var/log/messages and any file in /var/log/snort would be the places to look. |
Initially, there was a "Permission denied" of /var/log/snort/alert. I've chowned that file to snort:snort. Now theres no error and it says again snort's initialization is successful. What could be wrong? |
|
Back to top |
|
|
d_m Guru
Joined: 12 Jun 2003 Posts: 570 Location: Philadelphia, PA, USA
|
Posted: Mon Apr 11, 2005 5:19 pm Post subject: |
|
|
Well, if snort couldn't read/write it's alert file that would obviously be a problem.
Did you change the permissions on the whole /var/log/snort directory? I know snort writes tons of little files in there that it needs.
I would verify all the permissions (probably just "chown -R snort:snort /var/log/snort"), and then restart snort ("/etc/init.d/snort restart"). Then I would do some things that you think should put messages in the log file and check again. _________________ The name that can be named is not the eternal name. |
|
Back to top |
|
|
Caines n00b
Joined: 11 Apr 2005 Posts: 8
|
Posted: Tue Apr 12, 2005 12:10 pm Post subject: |
|
|
I did that and still, nothing happens. Oh well, I guess i don't really need snort for a home computer. Its pretty secured already with a software and hardware firewall?
Thanks for your time though. |
|
Back to top |
|
|
Baya n00b
Joined: 20 May 2013 Posts: 1
|
Posted: Mon May 20, 2013 12:58 pm Post subject: snort alert |
|
|
Hi,
Please can you show me how to add rule and check if snort does an alert about it! |
|
Back to top |
|
|
|