Snort mailing list archives
Re: Installing Snort
From: Damien Hull <dhull () section9 us>
Date: Fri, 8 Jul 2011 15:21:01 -0800
It looks like my problem is with barnyard2. If I run snort I can see port scans in /var/snort/sfportscan.log. If I run with barnyard2 I get nothing. I should also point out that I have OSSEC installed. It sends me emails with error messages. I got the following when I started snort and barnyard2. OSSEC HIDS Notification. 2011 Jul 08 23:11:00 Received From: migration->/var/log/syslog Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Jul 8 23:10:59 migration snort[28837]: Check for Bounce Attacks: YES alert: YES --END OF NOTIFICATION OSSEC HIDS Notification. 2011 Jul 08 23:11:00 Received From: migration->/var/log/syslog Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Jul 8 23:10:59 migration snort[28837]: Bad Message Direction Alert: DISABLED --END OF NOTIFICATION OSSEC HIDS Notification. 2011 Jul 08 23:11:00 Received From: migration->/var/log/syslog Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Jul 8 23:10:59 migration snort[28837]: Bad Payload Size Alert: DISABLED --END OF NOTIFICATION On Jul 8, 2011, at 1:21 PM, Michael Lubinski <michael.lubinski () gmail com> wrote: If the sfportscan preprocessor is configured On Jul 8, 2011 4:18 PM, "Damien Hull" < <dhull () section9 us>dhull () section9 us> wrote:
I double checked and that's a typo in the email. Just for fun I retyped everything in /etc/rc.local. Still not getting anything in the log file. I even recompiled snort. I'm assuming a port scan will show up in a log file somewhere. On Jul 8, 2011, at 12:52 PM, Michael Lubinski <<michael.lubinski () gmail com>
michael.lubinski () gmail com>
wrote: Typo on "gen-smg.map" or copy typo? On Fri, Jul 8, 2011 at 3:52 PM, Damien Hull < <dhull () section9 us>
dhull () section9 us> wrote:
in /etc/rc.local I have the following... /usr/local/snort/bin/snort -D -u snort -g snort \ -c /usr/local/snort/etc/snort.conf -i eth0 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf \ -G /usr/local/snort/etc/gen-smg.map \ -S /usr/local/snort/etc/sid-msg.map \ -d /var/log/snort \ -f snort.u2 \ -w /var/log/snort/barnyard2.waldo \ -D On Jul 8, 2011, at 12:43 PM, Michael Lubinski <<michael.lubinski () gmail com>
michael.lubinski () gmail com>
wrote: what's your syntax for starting snort? On Fri, Jul 8, 2011 at 3:28 PM, Damien Hull < < <dhull () section9 us>
dhull () section9 us>
<dhull () section9 us>dhull () section9 us> wrote:I have snort installed on a web server. It only needs to see incoming attacks so that should be working. I double checked snort.conf rules and found the port scan rule was commented out. Even after uncommenting that rule it doesn't work. Nothing shows up in /var/log/snort/snort or the snort report database.
I'm
thinking something was left out of the instructions on <<http://snort.org>
http://snort.org>
<http://snort.org>snort.org. I double checked my configuration several
times.
On Jul 8, 2011, at 12:11 PM, Michael Lubinski <<<michael.lubinski () gmail com>
michael.lubinski () gmail com>
<michael.lubinski () gmail com>michael.lubinski () gmail com> wrote: Is your snort sensor able to see the traffic? (span port, connected via
a
hub?) Are the rules uncommented in snort.conf? On Fri, Jul 8, 2011 at 3:05 PM, Damien Hull < < <dhull () section9 us>
dhull () section9 us>< <dhull () section9 us>dhull () section9 us>
<dhull () section9 us>dhull () section9 us> wrote:Here's what I have in /usr/local/snort/rules... total 10356 -rw-r--r-- 1 1210 1210 18236 Apr 4 17:59 VRT-License.txt -rw-r--r-- 1 1210 1210 5463 Jun 7 16:35 attack-responses.rules -rw-r--r-- 1 1210 1210 312012 Jun 7 16:35 backdoor.rules -rw-r--r-- 1 1210 1210 1862 Jun 7 16:35 bad-traffic.rules -rw-r--r-- 1 1210 1210 132557 Jun 7 16:35 blacklist.rules -rw-r--r-- 1 1210 1210 49738 Jun 7 16:35 botnet-cnc.rules -rw-r--r-- 1 1210 1210 20259 Jun 7 16:35 chat.rules -rw-r--r-- 1 1210 1210 8642 Jun 7 16:35 content-replace.rules -rw-r--r-- 1 1210 1210 8237 Jun 7 16:35 ddos.rules -rw-r--r-- 1 1210 1210 5048660 Jun 7 16:35 deleted.rules -rw-r--r-- 1 1210 1210 11722 Jun 7 16:35 dns.rules -rw-r--r-- 1 1210 1210 25338 Jun 7 16:35 dos.rules -rw-r--r-- 1 1210 1210 1327 May 16 2005 experimental.rules -rw-r--r-- 1 1210 1210 147124 Jun 7 16:35 exploit.rules -rw-r--r-- 1 1210 1210 4579 Jun 7 16:35 finger.rules -rw-r--r-- 1 1210 1210 33901 Jun 7 16:35 ftp.rules -rw-r--r-- 1 1210 1210 17265 Jun 7 16:35 icmp-info.rules -rw-r--r-- 1 1210 1210 3756 Jun 7 16:35 icmp.rules -rw-r--r-- 1 1210 1210 31824 Jun 7 16:35 imap.rules -rw-r--r-- 1 1210 1210 1041 Jun 7 16:35 info.rules -rw-r--r-- 1 1210 1210 199 Jun 7 16:35 local.rules -rw-r--r-- 1 1210 1210 24059 Jun 7 16:35 misc.rules -rw-r--r-- 1 1210 1210 7166 Jun 7 16:35 multimedia.rules -rw-r--r-- 1 1210 1210 13845 Jun 7 16:35 mysql.rules -rw-r--r-- 1 1210 1210 217140 Jun 7 16:35 netbios.rules -rw-r--r-- 1 1210 1210 5804 Jun 7 16:35 nntp.rules -rw-r--r-- 1 1210 1210 1246 Jun 7 16:35 open-test.conf -rw-r--r-- 1 1210 1210 208849 Jun 7 16:35 oracle.rules -rw-r--r-- 1 1210 1210 1490 Jun 7 16:35 other-ids.rules -rw-r--r-- 1 1210 1210 6432 Jun 7 16:35 p2p.rules -rw-r--r-- 1 1210 1210 56702 Jun 7 16:35 phishing-spam.rules -rw-r--r-- 1 1210 1210 47381 Jun 7 16:35 policy.rules -rw-r--r-- 1 1210 1210 1046 Jun 7 16:35 pop2.rules -rw-r--r-- 1 1210 1210 15701 Jun 7 16:35 pop3.rules -rw-r--r-- 1 1210 1210 91675 Jun 7 16:35 rpc.rules -rw-r--r-- 1 1210 1210 3984 Jun 7 16:35 rservices.rules -rw-r--r-- 1 1210 1210 42175 Jun 7 16:35 scada.rules -rw-r--r-- 1 1210 1210 5307 Jun 7 16:35 scan.rules -rw-r--r-- 1 1210 1210 13707 Jun 7 16:35 shellcode.rules -rw-r--r-- 1 1210 1210 91705 Jun 7 16:35 smtp.rules -rw-r--r-- 1 1210 1210 7250 Jun 7 16:35 snmp.rules -rw-r--r-- 1 1210 1210 335177 Jun 7 16:35 specific-threats.rules -rw-r--r-- 1 1210 1210 546411 Jun 7 16:35 spyware-put.rules -rw-r--r-- 1 1210 1210 46695 Jun 7 16:35 sql.rules -rw-r--r-- 1 1210 1210 7904 Jun 7 16:35 telnet.rules -rw-r--r-- 1 1210 1210 6410 Jun 7 16:35 tftp.rules -rw-r--r-- 1 1210 1210 1574 Jun 7 16:35 virus.rules -rw-r--r-- 1 1210 1210 26552 Jun 7 16:35 voip.rules -rw-r--r-- 1 1210 1210 1943280 Jun 7 16:35 web-activex.rules -rw-r--r-- 1 1210 1210 1470 Jun 7 16:35 web-attacks.rules -rw-r--r-- 1 1210 1210 119084 Jun 7 16:35 web-cgi.rules -rw-r--r-- 1 1210 1210 264702 Jun 7 16:35 web-client.rules -rw-r--r-- 1 1210 1210 14403 Jun 7 16:35 web-coldfusion.rules -rw-r--r-- 1 1210 1210 12895 Jun 7 16:35 web-frontpage.rules -rw-r--r-- 1 1210 1210 53052 Jun 7 16:35 web-iis.rules -rw-r--r-- 1 1210 1210 221135 Jun 7 16:35 web-misc.rules -rw-r--r-- 1 1210 1210 51100 Jun 7 16:35 web-php.rules -rw-r--r-- 1 1210 1210 1891 Jun 7 16:35 x11.rules On Jul 8, 2011, at 11:18 AM, Michael Lubinski <<<michael.lubinski () gmail com>
michael.lubinski () gmail com>< <michael.lubinski () gmail com> michael.lubinski () gmail com>
<michael.lubinski () gmail com>michael.lubinski () gmail com> wrote: What is in the rules directory? On Fri, Jul 8, 2011 at 2:09 PM, Damien Hull < < <dhull () section9 us>
dhull () section9 us>< <dhull () section9 us>dhull () section9 us><<dhull () section9 us> dhull () section9 us>
<dhull () section9 us>dhull () section9 us> wrote:I compiled snort for Ubuntu 10.04 following the instructions on the snort website. I installed the snort rules. Snort and barnyard2 start. There are snort files in /var/log/snort. However, there's nothing in the log files. The database doesn't contain any info. I did a port scan of the system. I'm assuming snort should pick that up. Again, nothing in the log files or in the database. I'm using snort report just like the documentation says. Can someone point me in some kind of direction? I must be missing something.
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and
makes
sense of it. IT sense. And common sense. < <http://p.sf.net/sfu/splunk-d2d-c2>http://p.sf.net/sfu/splunk-d2d-c2< <http://p.sf.net/sfu/splunk-d2d-c2>http://p.sf.net/sfu/splunk-d2d-c2><<http://p.sf.net/sfu/splunk-d2d-c2>
http://p.sf.net/sfu/splunk-d2d-c2>
<http://p.sf.net/sfu/splunk-d2d-c2>http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list < <Snort-users () lists sourceforge net>Snort-users () lists sourceforge net< <Snort-users () lists sourceforge net>Snort-users () lists sourceforge net><<Snort-users () lists sourceforge net>
Snort-users () lists sourceforge net>
<Snort-users () lists sourceforge net>Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: < <https://lists.sourceforge.net/lists/listinfo/snort-users>
https://lists.sourceforge.net/lists/listinfo/snort-users><<https://lists.sourceforge.net/lists/listinfo/snort-users> https://lists.sourceforge.net/lists/listinfo/snort-users><<https://lists.sourceforge.net/lists/listinfo/snort-users> https://lists.sourceforge.net/lists/listinfo/snort-users>
<https://lists.sourceforge.net/lists/listinfo/snort-users>
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: < <http://www.geocrawler.com/redir-sf.php3?list=snort-users>
http://www.geocrawler.com/redir-sf.php3?list=snort-users><<http://www.geocrawler.com/redir-sf.php3?list=snort-users> http://www.geocrawler.com/redir-sf.php3?list=snort-users><<http://www.geocrawler.com/redir-sf.php3?list=snort-users> http://www.geocrawler.com/redir-sf.php3?list=snort-users>
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please see < <http://www.snort.org/docs>http://www.snort.org/docs> <<http://www.snort.org/docs>
http://www.snort.org/docs>< <http://www.snort.org/docs> http://www.snort.org/docs>
<http://www.snort.org/docs>http://www.snort.org/docs for documentation
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Installing snort Damien Hull (Jul 06)
- Re: Installing snort Lay, James (Jul 07)
- <Possible follow-ups>
- Installing Snort Damien Hull (Jul 08)
- Re: Installing Snort Michael Lubinski (Jul 08)
- Re: Installing Snort Damien Hull (Jul 08)
- Message not available
- Re: Installing Snort Damien Hull (Jul 08)
- Re: Installing Snort Martin Holste (Jul 08)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Installing Snort Damien Hull (Jul 08)
- Re: Installing Snort Martin Holste (Jul 08)
- Re: Installing Snort Michael Lubinski (Jul 08)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Installing Snort Damien Hull (Jul 08)