|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: [Snort-users] snort not logging detail expected
From: Mike_Cudmore
scee.netDate: Mon Nov 06 2000 - 12:12:10 CST
- Next message: Dragos Ruiu: "RE: [Snort-users] Looking for dox on $EXTERNA, $INTERNAL, and $HOME_NET"
- Previous message: Robert E. Leever: "Re: [Snort-users] Weird alerts - false positive ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
I have a new installation of snort (1.6.3 patch 2) running on Debian Linux
running with the rules file 10102k.rules from snort.org.
/usr/sbin/snort -D -S HOME_NET=43.194.201.0/24 -h 43.194.201.0/24 -c
/etc/snort/snort-lib -A full -t /var/log/snort -u snort -g snort -s -i eth0
I have trouble getting the hierarchial listing as described on the
linuxsecurity site
e.g.
# The /var/log/snort directory contains a hierarchial listing with each
host having it's own directory beneth which contains a
# file detailing the information that makes up the intrusion
attempt. For example:
# [rootkrypton ~]# cd /var/log/snort
# [rootkrypton snort]# find 192.168.200.189
# 192.168.100.189
# 192.168.100.189/ICMP_ECHO
# 192.168.100.189/ICMP_PORT_UNRCH
# 192.168.100.189/TCP:57554-32771
# 192.168.100.189/TCP:57555-32771
# [rootkrypton ~]#
but I do get log messages in e.g. /var/log/auth.log
drwxr-xr-x 4 root root 4096 Nov 6 17:20 ./
drwxr-xr-x 14 root root 4096 Oct 23 12:09 ../
-rw-r----- 1 root adm 109121 Nov 6 17:29 auth.log
-rw-rw---- 1 root utmp 384 Nov 2 12:42 btmp
-rw-rw---- 1 root utmp 3840 Oct 31 16:31 btmp.1
-rw-r--r-- 1 root root 16943 Nov 6 17:25 cron.log
-rw-r--r-- 1 root root 4097 Nov 6 17:29 daemon.log
-rw-r--r-- 1 root root 67533 Nov 6 17:29 err.log
-rw-r--r-- 1 root root 24024 Nov 2 13:29 faillog
-rw-r--r-- 1 root root 62499 Nov 6 17:29 info.log
-rw-r--r-- 1 root root 91772 Nov 6 17:59 kern.log
drwxr-xr-x 2 root root 4096 Nov 6 17:25 ksymoops/
-rw-rw-r-- 1 root utmp 292292 Nov 6 17:27 lastlog
-rw-r--r-- 1 root root 13253 Nov 6 17:25 mail.log
-rw-r--r-- 1 root root 93251 Nov 6 17:59 messages.log
-rw------- 1 root root 0 Oct 31 18:41 portscan.log
drwxr-sr-- 2 snort snort 4096 Nov 6 17:58 snort/
-rw------- 1 root root 2029522 Nov 6 17:20 snort_portscan.log
-rw-r--r-- 1 root root 0 Oct 23 11:32 ssh.log
-rw-r--r-- 1 root root 1499 Nov 6 17:25 syslog.log
-rw-r--r-- 1 root root 131 Oct 25 18:17 user.log
-rw-r--r-- 1 root root 43476 Nov 6 17:25 warning.log
-rw-rw---- 1 root utmp 98304 Nov 6 17:27 wtmp
-rw-rw-r-- 1 root utmp 124800 Nov 1 20:46 wtmp.1
any thoughts on how to get the detailed logging ?
thanks
Mike Cudmore
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
SCEE
**********************************************************************
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users
- Next message: Dragos Ruiu: "RE: [Snort-users] Looking for dox on $EXTERNA, $INTERNAL, and $HOME_NET"
- Previous message: Robert E. Leever: "Re: [Snort-users] Weird alerts - false positive ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]