Skip to content

Troubleshooting Snort and MHN

Jump to bottom
Jason Trost edited this page Feb 7, 2015 · 5 revisions

When troubleshooting snort, it is helpful to run these commands/

  1. Output of this command (on the snort sensor): sudo supervisorctl status. Is snort running?
  2. Contents of /var/log/snort.log (on the snort sensor). Do you see any errors related to bad signatures or failed connection or authentication to hpfeeds?
  3. Contents of /opt/snort/etc/snort.conf (on the snort sensor). Take note of the hpfeeds logging section. Is the host correct? It should be your MHN server.
  4. Output of this command (on the MHN Server). Does the ident and secret from your hpfeeds logging section match the auth_key for your snort sensor?
    mongo hpfeeds
    > db.auth_key.find({'publish': ['snort.alerts']})

​5. Output of this command (on the MHN Server). Are there any snort records?

    mongo mnemosyne
    > db.session.find({'honeypot': 'snort'})
Clone this wiki locally