Snort mailing list archives
RE: Snort won't log anything! Please help...
From: "Kalteis, Nico (Contractor)" <Nico.Kalteis () ed gov>
Date: Fri, 28 Mar 2003 15:11:13 -0500
I don't know, but here is the command line I used (just one of many that didn't work): C:\Snort\bin>snort -de -c c:\snort\etc\snort3.conf -l c:\snort\log Once I typed that in here is what I got, indicating that Snort started OK. NOTE: Please note that instead of including the rules files I put a single sample rule straight in the snort.conf file.
Log directory = c:\snort\log Initializing Network Interface \ --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{C1372086-F27F-4F28-96B7-1709ECF2DAE7 } Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file c:\snort\etc\snort3.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 0 Self preservation period: 0 Suspend threshold: 0 Suspend period: 0 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Conversation Config: KeepStats: 0 Conv Count: 32000 Timeout : 60 Alert Odd?: 0 Allowed IP Protocols: All 1 Snort rules read... 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 1.9.1-ODBC-MySQL-MSSQL-WIN32 (Build 231) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8-1.9 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
The snort.conf file itself is basically untouched, except that I included the single rule: alert tcp any any -> any 80 which is the only way I could log SOMEthing. The moment I put the real CMD.EXE rule (the one I used as an example) nothing got logged. Thanks for any help! Nico -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Friday, March 28, 2003 2:57 PM To: Kalteis, Nico (Contractor) Cc: 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] Snort won't log anything! Please help... On Fri, 28 Mar 2003, Kalteis, Nico (Contractor) wrote:
By the way, I just noticed this: When I simply use the rule alert any any -> any any Snort logs just fine. It sets up a whole separate folder for any IP
address
it talks to. But the moment I add ANYTHING behind that line containing a signature it just sits there and does nothing. Specifically, I tried this with a
simple
"cmd.exe" rule. Then I kept cutting down the signature part until all i
was
left with was (content:"cmd.exe";) but to no avail. Can anybody tell me
why
it will log packets but not if I include a signature it's supposed to
match? That says your .conf file isn't right in some manner. How are you starting snort? What does your command line read? Are you trying to use relative paths? Are you using -l <logdir>? What do you have defined as your RULE_PATH? What does the output <foo> line look like? Give us a bit more hard data, and we'll be better equiped to help you out. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson
Current thread:
- Snort won't log anything! Please help... Kalteis, Nico (Contractor) (Mar 28)
- <Possible follow-ups>
- RE: Snort won't log anything! Please help... Kalteis, Nico (Contractor) (Mar 28)
- RE: Snort won't log anything! Please help... Erek Adams (Mar 28)
- RE: Snort won't log anything! Please help... Kalteis, Nico (Contractor) (Mar 28)
- RE: Snort won't log anything! Please help... Erek Adams (Mar 28)