SNORT-2.9.4 Installed properly but NOT Logging ALERTS
USING snort 2.9.4, daq 2.0.0, snortrules-snapshot-2940
I have installed snort and after installation when i run following: Code:
sudo snort -c /usr/local/snort/etc/snort.conf –dump-dynamic-rules=/usr/local/snort/so_rules Code:
Finished dumping dynamic rules. Code:
sudo snort -c /usr/local/snort/etc/snort.conf -T -l /var/log/snort Code:
Snort successfully validated the configuration! Code:
/usr/local/snort/bin/snort -i eth0 snort config file has this line for logging into unified file : Code:
output unified2: filename unified.snort.alert, limit 128 Code:
sudo snort -c /usr/local/snort/etc/snort.conf -l /var/log/snort -i eth0 |
Well done, concise but nearly complete post. Only one thing is missing: which rule exactly should your action trip? After all http://testmyids.com is just a plain (URI) string and nothing else. Most of the times you'll be looking for specific packet payloads and often in the direction of the Snort sensor. Please post the rule and if you created the rule yourself please explain what you derived its filter from if necessary.
|
No extra rule i have made. infact in fact while googling i found that in order to test your installed SNORT use curl http://testmyids.com it will generate bad traffic for your PC or IP and SNORT will generate alert. it use to work fine when i last installed SNORT-2.9.3 with snort-rules-snapshot-2931, but now when i have installed SNORT-2.9.4 with snort-rules-snapshot-2940 it is not generating any alerts for traffic from http://testmyids.com.
|
Quote:
|
How to find what all changes have been made at what all places since there are many rule files under ../rules. and where can i find that specific rule in which i am intrested in.
|
'diff -urN /one/dir /other/dir'?
|
All times are GMT -5. The time now is 01:55 AM. |