Menu
▾
▴
Re: [Os-sim-support] snort on ossim
|
From: Ritter, N. <Nic...@am...> - 2010-04-01 17:00:02
|
Did you look in the SIEM part of the OSSIM interface? OSSIM might not alarm, but it should have recorded a snort event in the SIEM interface. I am not positive the rule you created is ok, but it is redundant because OSSIM's default snort rule set will see ICMP traffic. I don't know which ISO you used to do the OSSIM install, but I would suggest that you make sure OSSIM is fully up to date with the following commands: Apt-get update Apt-get dist-upgrade Or Ossim-update Nick -----Original Message----- From: Kaushal Shriyan [mailto:kau...@gm...] Sent: Thursday, April 01, 2010 11:48 AM To: os-...@li... Subject: [Os-sim-support] snort on ossim Hi, I am testing snort on ossim. I have added a basic rule under /etc/snort/rules/local.rules and restarted the snort daemon server. alert icmp any any -> 192.168.1.1 any (sid:1000000; rev:1; msg: "Oh snap it's a ping";) >From the client host i did ping 192.168.1.1 but i could not see any events or alert under snort logs. Also on the OSSIM Admin web interface i could not see any events Under /var/log/snort/ I dont see anything -rw-r----- 1 snort adm 0 2010-03-17 19:38 snort_eth1.1268879936 -rw-r----- 1 snort adm 0 2010-03-18 00:33 snort_eth1.1268897623 -rw-r----- 1 snort adm 0 2010-03-18 00:35 snort_eth1.1268897717 -rw-r----- 1 snort adm 0 2010-03-23 00:46 snort_eth1.1269330408 -rw-r----- 1 snort adm 0 2010-03-23 04:32 snort_eth1.1269343945 -rw-r----- 1 snort adm 0 2010-03-23 04:38 snort_eth1.1269344305 -rw-r----- 1 snort adm 0 2010-03-23 04:42 snort_eth1.1269344567 -rw-r----- 1 snort adm 0 2010-03-24 00:42 snort_eth1.1269416522 -rw-r----- 1 snort adm 0 2010-04-01 08:47 snort_eth1.1270136823 Please suggest/guide. Thanks and Regards, Kaushal ------------------------------------------------------------------------ ------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Os-sim-support mailing list Os-...@li... https://lists.sourceforge.net/lists/listinfo/os-sim-support |
