3. Snort not working?

Snort not working?

  • B

    I have snort installed and with almost all of the rules turned on except for chat and p2p.  It shows as running in the gui, and I see the process in top.  But I'm not getting any alerts or blocks.  I find this hard to believe, as when I was previously running snort, I was getting at least a couple hits a day.

    Is there something in the setup I need to change or check?  How can I tell it's working correctly?

    0
  • L

    What interface is it running on?

    0
  • B

    @LostInIgnorance:

    What interface is it running on?

    WAN

    0
  • L

    Can you give a bit of info about your network setup? (asci/paint diagram would be nice)

    0
  • B

    Not to be difficult, but what does that have to do with snort picking up things from the internet?

    0
  • L

    If you have something before the pfsense, sometimes the modems associated with dsl/cable have firewalls naturally enabled on them.

    0
  • B

    @LostInIgnorance:

    If you have something before the pfsense, sometimes the modems associated with dsl/cable have firewalls naturally enabled on them.

    Just the same Moto 6120 I've been running previously.

    0
  • M

    I have the same issue… I may just build the damn thing by hand... it seems that it doesn't pick up EXTERNAL and INTERNAL net...

    0
  • J

    @mantic:

    I have the same issue… I may just build the damn thing by hand... it seems that it doesn't pick up EXTERNAL and INTERNAL net...

    @mantic

    Do us a favor.

    Post you system spec, network map and any setting that might affect snort.

    Rob

    0
  • B

    So, I went to GRC and did a port scan on my ip.  Still nothing from Snort.  I'm beginning to wonder if it's even running.

    What can I look at in order to tell if things are working correctly?

    0
  • _

    when snort starts up, it fills the whole systemlog with messages. The last ones should be like this:

    snort[62829]: Snort initialization completed successfully (pid=62829)
Mar 25 00:02:18	snort[62829]: Snort initialization completed successfully (pid=62829)
Mar 25 00:02:18	snort[62829]: --== Initialization Complete ==--
Mar 25 00:02:18	snort[62829]: --== Initialization Complete ==--
    0
  • B

    Yeah, it turned out I had to turn on the preprocessors.

    BTW, it lists an option for collecting performance statistics, but I couldn't find where they're collected.  Any ideas?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy