no /var/log/guardian.log temos: Odd.. source = 192.168.0.3, dest = 200.221.1.86. No action done. Odd.. source = 192.168.0.3, dest = 200.221.1.86. No action done. Odd.. source = 192.168.0.3, dest = 200.221.1.86. No action done. Odd.. source = 192.168.0.7, dest = 64.157.165.249. No action done. Odd.. source = 192.168.0.7, dest = 64.157.165.249. No action done. Odd.. source = 192.168.0.2, dest = 192.168.0.2. No action done. Odd.. source = 192.168.0.2, dest = 192.168.0.2. No action done. Odd.. source = 192.168.0.2, dest = 192.168.0.2. No action done.
e muito mais... no /var/log/messages sobre snort e guardian as unicas mensagens sao da inicializa��o... mas vai l�: Mar 19 11:41:35 servidor snort: Initializing daemon mode Mar 19 11:41:35 servidor snort: PID path stat checked out ok, PID path set to /var/run/ Mar 19 11:41:35 servidor snort: Writing PID "2352" to file "/var/run//snort_eth0.pid" Mar 19 11:41:35 servidor snort: ,-----------[Flow Config]---------------------- Mar 19 11:41:35 servidor snort: | Stats Interval: 0 Mar 19 11:41:35 servidor snort: | Hash Method: 2 Mar 19 11:41:35 servidor snort: | Memcap: 10485760 Mar 19 11:41:35 servidor snort: | Rows : 4099 Mar 19 11:41:35 servidor snort: | Overhead Bytes: 16400(%0.16) Mar 19 11:41:35 servidor snort: `---------------------------------------------- Mar 19 11:41:35 servidor snort: HttpInspect Config: Mar 19 11:41:35 servidor snort: GLOBAL CONFIG Mar 19 11:41:35 servidor snort: Max Pipeline Requests: 0 Mar 19 11:41:35 servidor snort: Inspection Type: STATELESS Mar 19 11:41:35 servidor snort: Detect Proxy Usage: NO Mar 19 11:41:35 servidor snort: IIS Unicode Map Filename: /etc/unicode.map Mar 19 11:41:35 servidor snort: IIS Unicode Map Codepage: 1252 Mar 19 11:41:35 servidor snort: DEFAULT SERVER CONFIG: Mar 19 11:41:35 servidor snort: Ports: Mar 19 11:41:35 servidor snort: 80 Mar 19 11:41:35 servidor snort: 8080 Mar 19 11:41:35 servidor snort: 8180 Mar 19 11:41:35 servidor snort: Mar 19 11:41:35 servidor snort: Flow Depth: 300 Mar 19 11:41:35 servidor snort: Max Chunk Length: 500000 Mar 19 11:41:35 servidor snort: Inspect Pipeline Requests: YES Mar 19 11:41:35 servidor snort: URI Discovery Strict Mode: NO Mar 19 11:41:35 servidor snort: Allow Proxy Usage: NO Mar 19 11:41:35 servidor snort: Disable Alerting: NO Mar 19 11:41:35 servidor snort: Oversize Dir Length: 500 Mar 19 11:41:35 servidor snort: Only inspect URI: NO Mar 19 11:41:36 servidor snort: Ascii: YES alert: NO Mar 19 11:41:36 servidor snort: Double Decoding: YES alert: YES Mar 19 11:41:36 servidor snort: %U Encoding: YES alert: YES Mar 19 11:41:36 servidor snort: Bare Byte: YES alert: YES Mar 19 11:41:36 servidor snort: Base36: OFF Mar 19 11:41:36 servidor snort: UTF 8: OFF Mar 19 11:41:36 servidor snort: IIS Unicode: YES alert: YES Mar 19 11:41:36 servidor snort: Multiple Slash: YES alert: NO Mar 19 11:41:36 servidor snort: IIS Backslash: YES alert: NO Mar 19 11:41:36 servidor snort: Directory: YES alert: NO Mar 19 11:41:36 servidor snort: Apache WhiteSpace: YES alert: YES Mar 19 11:41:36 servidor snort: IIS Delimiter: YES alert: YES Mar 19 11:41:36 servidor snort: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Mar 19 11:41:36 servidor snort: Non-RFC Compliant Characters: Mar 19 11:41:36 servidor snort: NONE Mar 19 11:41:36 servidor snort: Mar 19 11:41:36 servidor snort: rpc_decode arguments: Mar 19 11:41:36 servidor snort: Ports to decode RPC on: 111 32771 Mar 19 11:41:36 servidor snort: alert_fragments: INACTIVE Mar 19 11:41:36 servidor snort: alert_large_fragments: ACTIVE Mar 19 11:41:36 servidor snort: alert_incomplete: ACTIVE Mar 19 11:41:36 servidor snort: alert_multiple_requests: ACTIVE Mar 19 11:41:36 servidor snort: Snort initialization completed successfully o acesso aos logs estao todo liberados, imaginei q pudesse ser isso...mas est� OK []�s (espero que o moderador nao me barre hehehe) Que te mostra los logs do caso ??? /var/log/message /var/log/guardian (o donde este) Tem liberado a leitura dos logs do snort para o guardian ??? --------------------------------------------------------------------------- Esta lista � patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br Regras de utiliza��o da lista: http://linux-br.conectiva.com.br FAQ: http://www.zago.eti.br/menu.html
