Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo
I accidentally posted this under General discussion instead of here.
I have a fresh install of Snort 18.104.22.168 with Mysql, Barnyard, Base 1.4.1, and Ntop running on CentOS5.2. I have snort up and running with 2 NICs Eth3-monitoring and Eth1-sniffing and have followed the testing procedure posted by Juergen Leising on 2008-6-26, which is listed below(modified):
1. Can snort detect anything ? I ran snort -vde -i eth1 -n 50
packets received on screen.
2. Is snort.conf syntactically correct? I ran snort -T -cc /etc/snort
Snort successfully loaded all rules and rule chains.
3. Can snort qualify some of the observed data as alerts?
I ran snort in ids mode: snort -vde -i eth1 -L snort.pcap -c /etc/snort.conf -n 100
Data received on screen
4. Does snort trigger any alerts at all?
looked in /var/log/messages
Alerts are posting and barnyard is processing them
5. Is the database syntactically ok? I ran mysqlcheck --check snort -u snort -p
All checked ok
6. Do any packets show up in mysql database?
mysql> select * from event where timeswtamp like '%2009-03-26%';
The responce was 1663 rows in 1 set (Data is present)
The Base webpage is up and wants to be active but it appears to not be reading the data on sensor my Sensor/Total is 0/0
all data on main homepage is 0. I would like to get this up and running any assistance would be appreciated.
Issue was resolved all programs are go
I'm having a very similar problem with a sensor I just set up. What was the issue for you?
I have the same problem, posted at http://www.snort.org/reg-bin/forums.cgi?forum_id=10&topic_id=7258
Surely, if you type "select * from snort.sensor;" at mysql console, you obtain:
Empty set (0.00 sec)
while "select * from snort.event;" reports a number of alerts;
I'm not an expert but i think here is the problem. I've thought to insert manually the row in sensor table but i don't know what's the syntax and the correct values. Also i'm sure there must be a problem here because inserting that row manually doesn't appear in snort docs.
If anybody solve this problem please post the solution....
Thanks in advance
I could not figure it out. I ended up rebuilding my box again but focused on using i386 verdion software insetead of i686 and that brought up the missing sensor. Dont figure?
But it is up and tunning.
I hope this helps
Check out the Snort mailing list. There is a bug in Snort 2.8.4
Thanks Stephen, that calmed my minds....
Thanks. This was the 5th box I'd set up, and all were identical, except that I started with 2.8.4 on the new one. I'll monitor the mailing list for an official patch.