From owner-freebsd-security Fri Jul 12 4: 6:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3B1537B400 for ; Fri, 12 Jul 2002 04:06:23 -0700 (PDT) Received: from mx6.mail.ru (mx6.mail.ru [194.67.57.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9764F43E31 for ; Fri, 12 Jul 2002 04:06:22 -0700 (PDT) (envelope-from h-k@mail.ru) Received: from [194.84.56.194] (helo=elimar) by mx6.mail.ru with esmtp (Exim SMTP.6) id 17SyFh-000Dmp-00 for freebsd-security@FreeBSD.ORG; Fri, 12 Jul 2002 15:06:21 +0400 Date: Fri, 12 Jul 2002 15:07:09 +0400 From: dawnshade X-Mailer: The Bat! (v1.60m) Reply-To: dawnshade X-Priority: 3 (Normal) Message-ID: <173572106055.20020712150709@mail.ru> To: freebsd-security@FreeBSD.ORG Subject: Re[2]: Snort problem. In-Reply-To: <20020712102548.GH21554@brel.com> References: <60550254524.20020712090257@mail.ru> <20020712053845.GA89208@i-sphere.com> <29552793875.20020712094517@mail.ru> <1026465184.3d2e9da02c762@webmail.sambolian.net.nz> <108568184025.20020712140147@mail.ru> <20020712102548.GH21554@brel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Calvin, Friday, July 12, 2002, 2:25:48 PM, you wrote: CN> Greetings, CN> I am assuming we are not talking about a switched network here. CN> And that the listen interface (cp0) can actually see all traffic. CN> run it in tcpdump mode, and see that it really is collecting CN> network data. CN> or, deliberately run a probe/scan against host mx and see if CN> snort generates an alert. CN> Regards, CN> /calvin :>> >> f> On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote: :>> >> >> I have a little problem: :>> >> >> install, configure snort (1.8.6 (Build 105)). :>> >> >> Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A full :>> >> -d -D -l /usr/log/snort :>> >> >> :>> >> >> But the snort does nothing: not log or alert scans, portscans, :>> >> >> etc.... :>> >> >> :>> >> >> thank all for advance. :>> >> >> :>> >> >> :>> >> :>> Yes, interface cp0 - external. BUT: snort analyzed 0 packets!!!!! Why??? su-2.05a# snort -v Log directory = /var/log/snort Initializing Network Interface cp0 --== Initializing Snort ==-- Decoding PPP on interface cp0 --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.7 (Build 128) By Martin Roesch (roesch@sourcefire.com, www.snort.org) ^C =============================================================================== Snort analyzed 0 out of 1476 packets, The kernel dropped 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 0 (0.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Stream Trackers: 0 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0 =============================================================================== Snort received signal 2, exiting -- Best regards, dawnshade mailto:h-k@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message