OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alain (alainonesite.org)
Date: Wed Jun 13 2001 - 14:00:49 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    Here is the content from /var/log/snort :

    20:05:45 root /var/log/snort #ls -l
    total 1592
    -rw------- 1 snort snort 988 May 26 16:44 05261624-snort.log
    -rw------- 1 root root 24 May 26 19:38 05261938-snort.log
    -rw------- 1 root root 24 May 26 19:39 05261939-snort.log
    -rw------- 1 root root 24 Jun 1 20:03 06012003-snort.log
    -rw------- 1 root root 268 Jun 1 20:07 06012005-snort.log
    -rw------- 1 root root 24 Jun 1 20:08 06012008-snort.log
    -rw------- 1 root root 24 Jun 1 20:11 06012011-snort.log
    -rw------- 1 root root 268 Jun 1 20:28 06012027-snort.log
    -rw------- 1 root root 1587939 Jun 13 19:35 06090109-snort.log
    -rw------- 1 snort snort 0 May 26 16:23 alert
    -rw------- 1 snort snort 0 May 26 16:23 portscan.log
    -rw------- 1 snort snort 24 May 26 16:24 snort-05261623.log

    Snort is now running as root :
    20:05:47 root /var/log/snort #ps -eaf | grep snort
    root 29893 1 0 Jun09 ? 00:00:32 snort -c /etc/snort/snort.conf -D

    Why is there nothing in the file alert ?

    I'm using the default configuration for snort 1.6 installed from source on
    Linux Debian 2.2

    The number of rows for each table in the mysql database is :

    data 13911
    detail 2
    encoding 3
    event 13935
    icmphdr 13906
    iphdr 13935
    opt 96
    sensor 1
    tcphdr 24
    udphdr 5

    The kind of events are :

    mysql> select distinct signature from event ;
    +--------------------------------------------------------------------------+
    | signature |
    +--------------------------------------------------------------------------+
    | ICMP Destination Unreachable (Communication Administratively Prohibited) |
    | ICMP Destination Unreachable (Host Unreachable) |
    | ICMP Destination Unreachable (Port Unreachable) |
    | ICMP Echo Reply |
    | ICMP Echo Request |
    | ICMP Echo Request BSDtype |
    | ICMP Echo Request Windows |
    | ICMP Time-To-Live Exceeded in Transit |
    | ICMP traceroute |
    | MISC source port 53 to <1024 |
    | RPC portmap request rstatd |
    | SCAN Proxy attempt |
    +--------------------------------------------------------------------------+
    13 rows in set (0.54 sec)

    I didn't find an answer in the manuals to this question : how can I get
    some more informations from this data ?

    Thanks,
    Alain

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users