Snort mailing list archives
snort suddenly stopped to record events
From: linux () vfemail net
Date: Mon, 22 Jul 2013 10:59:37 -0500
Hello snort events,I have snort installed on centos-5.9 and configured to work with barnyard and update rules using pulledpork.
[root@ids snort]# cat /etc/issue CentOS release 5.9 (Final) Kernel \r on an \m [root@ids snort]#All packets below has been compiled and installed on the same machine, using src.rpm!
snort-2.9.3.1-1.x86_64 barnyard2-1.9-el5.x86_64 pulledpork-0.6.2-1.x86_64 The configuration is similar with the one described here, without mysql: http://www.snort.org/assets/158/snortinstallguide293.pdf in /etc/snort/snort.conf I have: output unified2: filename merged.log, limit 128 Starting using snort -u snort -g snort -c /etc/snort/snort.conf -i eth4snort is starting clen (see snort_dump.txt attached), so it seems that everything is ok, but no events logged into /var/log/snort/merged.log.1374504770. Merged.log still remain empty!!!
Attached you have output of:
# snort -c /etc/snort/snort.conf -T &> snort_dump.txt
After ~30 minutes, I hit CTRL+C and I am able to see:
Commencing packet processing (pid=11307)
...
*** Caught Int-Signal
===============================================================================
Run time for packet processing was 1974.990819 seconds
Snort processed 4530 packets.
Snort ran for 0 days 0 hours 32 minutes 54 seconds
Pkts/min: 141
Pkts/sec: 2
===============================================================================
Packet I/O Totals:
Received: 4530
Analyzed: 4530 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 4530 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 3470 ( 76.600%)
Frag: 0 ( 0.000%)
ICMP: 1 ( 0.022%)
UDP: 3462 ( 76.424%)
TCP: 1 ( 0.022%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 762 ( 16.821%)
IPX: 58 ( 1.280%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 246 ( 5.430%)
Bad Chk Sum: 0 ( 0.000%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 0 ( 0.000%)
S5 G 2: 0 ( 0.000%)
Total: 4530
===============================================================================
Action Stats:
Alerts: 0 ( 0.000%)
Logged: 0 ( 0.000%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 0
Verdicts:
Allow: 4530 (100.000%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 0 ( 0.000%)
Blacklist: 0 ( 0.000%)
Ignore: 0 ( 0.000%)
===============================================================================
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
Drops: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Stream5 statistics:
Total sessions: 92
TCP sessions: 0
UDP sessions: 92
ICMP sessions: 0
IP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
IP Prunes: 0
TCP StreamTrackers Created: 0
TCP StreamTrackers Deleted: 0
TCP Timeouts: 0
TCP Overlaps: 0
TCP Segments Queued: 0
TCP Segments Released: 0
TCP Rebuilt Packets: 0
TCP Segments Used: 0
TCP Discards: 0
TCP Gaps: 0
UDP Sessions Created: 92
UDP Sessions Deleted: 92
UDP Timeouts: 0
UDP Discards: 0
Events: 0
Internal Events: 0
TCP Port Filter
Dropped: 0
Inspected: 0
Tracked: 1
UDP Port Filter
Dropped: 0
Inspected: 795
Tracked: 92
===============================================================================
===============================================================================
SMTP Preprocessor Statistics
Total sessions : 0
Max concurrent sessions : 0
===============================================================================
dcerpc2 Preprocessor Statistics
Total sessions: 0
===============================================================================
===============================================================================
SIP Preprocessor Statistics
Total sessions: 0
===============================================================================
Reputation Preprocessor Statistics
Total Memory Allocated: 0
===============================================================================
Snort exiting
[root@ids ~]#
So, how can I produce an alert or test that snort is working is
working and producing alerts? I have files older that 2 months and
snort events has been logged inside but after that nothing logged
inside events file!
I've changed just monitored interface from eth1 to eth4, and IP address of ipvar HOME_NET from [192.168.48.0/24] to [192.168.51.0/24]
Please, help me to debug ... I am lost ... Could be some new updates received using pulledpork? Some misconfigured rules received using pulledpork? Why snort is not logging?
Regards, Alx ------------------------------------------------- VFEmail.net - http://www.vfemail.net$14.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!Commercial and Bulk Mail Options!
Attachment:
snort_dump.txt
Description:
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort suddenly stopped to record events linux (Jul 22)
- Re: snort suddenly stopped to record events waldo kitty (Jul 22)
- Re: snort suddenly stopped to record events linux (Jul 23)
- Re: snort suddenly stopped to record events waldo kitty (Jul 23)
- Re: snort suddenly stopped to record events Alex (Jul 24)
- Re: snort suddenly stopped to record events Peter Bates (Jul 24)
- Re: snort suddenly stopped to record events waldo kitty (Jul 24)
- Re: snort suddenly stopped to record events Alex (Jul 26)
- Re: snort suddenly stopped to record events waldo kitty (Jul 26)
- Re: snort suddenly stopped to record events Alex (Jul 29)
- Re: snort suddenly stopped to record events linux (Jul 23)
- Re: snort suddenly stopped to record events waldo kitty (Jul 22)