Menu
▾
▴
Re: [Os-sim-support] snort on ossim
|
From: Ritter, N. <Nic...@am...> - 2010-04-01 18:41:15
|
Are you sure the eth interface that snort is listening on is on a switch port that should see the traffic you are interested in (ie.: that it is a mirror port) also, is the eth interface in promiscuous mode (do an "ifconfig" and look for the "PROMISC" keyword.) Nick -----Original Message----- From: Kaushal Shriyan [mailto:kau...@gm...] Sent: Thursday, April 01, 2010 12:33 PM To: Ritter, Nicholas Cc: os-...@li... Subject: Re: [Os-sim-support] snort on ossim On Thu, Apr 1, 2010 at 10:29 PM, Ritter, Nicholas <Nic...@am...> wrote: > Did you look in the SIEM part of the OSSIM interface? OSSIM might not > alarm, but it should have recorded a snort event in the SIEM interface. > I am not positive the rule you created is ok, but it is redundant > because OSSIM's default snort rule set will see ICMP traffic. > > I don't know which ISO you used to do the OSSIM install, but I would > suggest that you make sure OSSIM is fully up to date with the following > commands: > > Apt-get update > Apt-get dist-upgrade > > Or > > Ossim-update Hi Ritter, I did followed your suggestion and did apt-get update, apt-get dist-upgrade, and ossim-update. and tried the same exercise. I could not see any events or alarms under Analysis -> SIEM --> Events Please further suggest. Thanks and Regards Kaushal |
