LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-16-2004, 10:22 PM   #1
nickbrico
LQ Newbie
 
Registered: Feb 2002
Posts: 4

Rep: Reputation: 0
how can I tell snort is running and logging alerts?


Hi guys,

i was wondering if anybody can point me in the right direction.

i have a new install of snort 2.1, sensor, ACID, and snortcenter running on the same box...Fedora redhat. When the sensor is running i use another box to connect to the ACID console to view alerts, etc… however nothing shows up in ACID. No alter etc...

When i start snort in /etc/snort i get no error messages, everything seems to run fine. Also the rule files are in the same directory \etc\snort

for some reason the alerts don't get logged in /var/log/snort i checked the snort.conf file where i make the database connection and all looks good yet nothing gets logged. HELP

PS when i setup a test rule in snort.conf, ACID sees it when i start snort, but the alerts in the default rules don't get logged to /var/log/snort

Does this make sense?
 
Old 03-18-2004, 02:45 AM   #2
Skunk_Face
Member
 
Registered: Jan 2004
Posts: 54

Rep: Reputation: 15
is there anything in /var/log/messages when u start snort?

is snort actually running ??

whats the output of #ps -ef | grep snort

did you set the path to snort rules correctly in snort.conf?

im not sure how u log snort alerts ...but i used to run snort with logging to mysql
 
Old 03-18-2004, 04:55 PM   #3
nickbrico
LQ Newbie
 
Registered: Feb 2002
Posts: 4

Original Poster
Rep: Reputation: 0
i know snort is running becauase i have a snortd file in /etc/rc.d/init.d/ that i use to stop/start snort. my snort.con file points to /etc/snort for the default rules. i also use mysql to log the alerts

here is the output i get when i run #ps -ef | grep snort

root 1932 1 0 15:45 ? 00:00:00 /usr/bin/perl /opt/snortagent/sensor/miniserv.pl /etc/snort/miniserv.conf
root 2574 1 0 16:13 ? 00:00:00 /usr/local/bin/snort -U -o -i eth0 -d -D -c /etc/snort/snort.conf
root 2583 2006 0 16:14 pts/1 00:00:00 grep snort
[root@g6zx snort]#

and my /var/log/snort has these files

-rw------- 1 root root 0 Mar 18 16:13 alert
-rw-r--r-- 1 root root 808 Mar 18 15:53 miniserv.error
-rw------- 1 root root 833 Mar 18 15:53 miniserv.log
-rw-r--r-- 1 root root 5 Mar 18 15:45 miniserv.pid
-rw------- 1 root root 119291 Mar 18 15:41 tcpdump.log.1079561859


as you can see the alert log has "0" log and the miniserv.error has some errors, but nothing with regards to snort.

i will trace my steps again to see if i missed a step. thanks a bunch for your help, if you think of anything else let me know.......Nick B
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
snort alerts lord-fu Linux - Security 1 11-25-2005 03:28 PM
Snort Alerts ?? zahra79 Linux - Networking 5 06-22-2005 05:11 AM
Snort does not log alerts soren625 Linux - Security 0 02-10-2005 06:35 AM
Suggestions for best way to get snort alerts zuessh Linux - Security 9 08-29-2004 09:40 PM
Snort Alerts knight_ridda Linux - Security 13 06-21-2003 04:32 PM


All times are GMT -5. The time now is 03:07 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration