Snort Messages may not be Telling Me Much.

To: debian-user@lists.debian.org
Subject: Snort Messages may not be Telling Me Much.
From: Martin McCormick <martin@dc.cis.okstate.edu>
Date: Fri, 03 Dec 2004 22:03:55 -0600
Message-id: <[🔎] 200412040403.iB443t46030054@dc.cis.okstate.edu>

	I've got snort installed and running on Debian3.0.  It runs
fine but I never get any thing in the report Emails that I receive
each day.  The messages have a suspiciously empty look to them like a
form that should be filled in but isn't.  I have run snort in the past
in a fully-capturing mode and there are all kinds of the usual monkey
business going on out there so I know that in 3 months, I should have
seen something.  After 92 days, every single message looks like the
following example:

(Message inbox:152)


From:    root <root@systemname>


Subject: [SNORT] systemname
 daily report

The log begins from:   ::
The log ends     at:   ::
Total events: 0
Signatures recorded: 0
Source IP recorded: 0
Destination IP recorded: 0


The number of attacks from same host to same
destination using same method
=========================================================================
  # of
 attacks  from              to                method
=========================================================================


Percentage and number of attacks from a host to a
destination
============================================================
        #  of
  %    attacks   from              to                
============================================================


Percentage and number of attacks from one host to any
with same method
==============================================================
        #  of
  %    attacks   from              method
==============================================================


Percentage and number of attacks to one certain host 
=================================================================
        #  of
  %    attacks   to                method
=================================================================


The distribution of attack methods
===============================================
        #  of
  %    attacks   method
===============================================

End of example ---------------------------------------------------

	I installed snort by using dselect and it is looking for all
the standard attack signatures that come with the distribution.  I
certainly don't want trouble, but I think I am missing activity that
is going on.  The network it is sniffing is the correct network for my
installation and, in the past, I saw traffic when using that
definition so I am not sure what is going on.

	Any constructive ideas are welcome.

	By the way, this particular message is not coming from
the system in question.

Martin McCormick WB5AGZ  Stillwater, OK 
OSU Information Technology Division Network Operations Group

Reply to:

Follow-Ups:
- Re: Snort Messages may not be Telling Me Much.
  - From: David Mandelberg <mandelbergd@eth0.is-a-geek.org>
- Re: Snort Messages may not be Telling Me Much.
  - From: André Carezia <andre@carezia.eng.br>

Prev by Date: Lost keyboard suddenly
Next by Date: Re: Question about usbkey lights
Previous by thread: Re: Lost keyboard suddenly
Next by thread: Re: Snort Messages may not be Telling Me Much.
Index(es):
- Date
- Thread