Snort mailing list archives
Re: snort suddenly stopped to record events
From: "Alex" <linux () vfemail net>
Date: Wed, 24 Jul 2013 17:00:18 +0300
Hi Waldo, Thanks again for your help. I've collected more info, see below :-) just commenting out UDP rules in /etc/snort/rules/local-test.rules: #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; classtype:misc-activity; sid:5; rev:1;) #alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; classtype:misc-activity; sid:6; rev:1;) will still continue to log UDP packets in syslog!!!! Jul 24 13:56:14 ids snort: [1:4:1] ip traffic outbound [Classification: Unknown Traffic] [Priority: 3] {UDP} 192.168.51.10:138 -> 192.168.51.255:138 Jul 24 13:56:14 ids snort: [1:3:1] ip traffic inbound [Classification: Unknown Traffic] [Priority: 3] {UDP} 192.168.51.10:138 -> 192.168.51.255:138 Commenting out also ip rules in /etc/snort/rules/local-test.rules, will cause snort to stop logging UDP packets. #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; classtype:unknown; sid:3; rev:1;) #alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; classtype:unknown; sid:4; rev:1;) but this time, in merged.log, nothing is recorded! To isolate somehow the problem: - on one terminal I've started a tcpdump -v tcp -i eth4 - on second terminal, i've started: snort -u snort -g snort snort -c /etc/snort/snort.conf on my host (192.168.51.59) I've telneted host 192.168.51.61 on port 80 (which is a network printer) and has a management interface listening on port 80 See below logs: [root@ids ~]# tcpdump -v -nn tcp -i eth4 tcpdump: WARNING: eth4: no IPv4 address assigned tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 96 bytes 14:51:45.701106 IP (tos 0x0, ttl 64, id 27972, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.51.61.80 > 192.168.51.59.1984: S, cksum 0xf7ba (correct), 3548862483:3548862483(0) ack 3068431451 win 11680 <mss 1460,nop,wscale 0> 14:51:45.702054 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.51.61.80 > 192.168.51.59.1984: R, cksum 0x946b (correct), 3548862484:3548862484(0) win 0 [root@ids snort]# tail -f /var/log/messages|grep snort Jul 24 14:51:45 ids snort: [1:2:1] tcp traffic outbound [Classification: A TCP connection was detected] [Priority: 4] {TCP} 192.168.51.61:80 -> 192.168.51.59:1984 Jul 24 14:51:45 ids snort: [1:1:1] tcp traffic inbound [Classification: A TCP connection was detected] [Priority: 4] {TCP} 192.168.51.61:80 -> 192.168.51.59:1984 Jul 24 14:51:45 ids snort: [1:2:1] tcp traffic outbound [Classification: A TCP connection was detected] [Priority: 4] {TCP} 192.168.51.61:80 -> 192.168.51.59:1984 Jul 24 14:51:45 ids snort: [1:1:1] tcp traffic inbound [Classification: A TCP connection was detected] [Priority: 4] {TCP} 192.168.51.61:80 -> 192.168.51.59:1984 Now, I have a question, to be sure that I am understanding correctly snort functionality. Supposing that barnyard IS NOT STARTED and udp and ip rules are enabled in local-test.rules, I am able to see that in merged.log will be recorderded some things and also in syslog will appear alerts!!!! Now, in snort.conf I have 2 lines defined for output: output unified2: filename merged.log, limit 128 and output alert_syslog: LOG_AUTH LOG_ALERT What line in snort.conf will produce alerts in syslog? As far as I understand, output unified2: filename merged.log, is related to barnyard and will not record in syslog. ONLY when barnyard2 will be started, merged.log file will be read and in case will be some alerts, barbyard2 will write them in syslog. Correct? The second line (output alert_syslog: LOG_AUTH LOG_ALERT), will be responsible to write direct in syslog and has nothing to do with merged.log file above. Right? So answer to my question above is: output alert_syslog: LOG_AUTH LOG_ALERT! Right? Now, I've started snort as daemon and tried to generate some traffic again, telneting another host from the same source (192.168.51.59) telnet 192.168.51.100 80! Unfortunatelly, this time tcpdump will show and record only arp request: [root@ids ~]# tcpdump -i eth4 -v host 192.168.51.59 tcpdump: WARNING: eth4: no IPv4 address assigned tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 96 bytes 16:20:41.672663 arp who-has 192.168.51.59 tell 192.168.51.100 and this event is not recorded/alerted by snort even connection has been established. Is this normal? Anyway, in this time, something has been recorded in merged.log file. I've decoded using u2spewfoo, see blelow: [root@ids eth4]# ./u2spewfoo merged.log.1374667559 (Event) sensor id: 0 event id: 1 event second: 1374667574 event microsecond: 908616 sig id: 8 gen id: 1 revision: 1 classification: 31 priority: 3 ip source: 192.168.51.1 ip destination: 192.168.51.49 src port: 3 dest port: 13 protocol: 1 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 1 event second: 1374667574 packet second: 1374667574 packet microsecond: 908616 linktype: 1 packet_length: 118 [ 0] B8 27 EB 34 9D 90 00 0C 42 BD 73 44 08 00 45 C0 .'.4....B.sD..E. [ 16] 00 68 E4 77 00 00 40 01 AD DA C0 A8 33 01 C0 A8 .h.w..@.....3... [ 32] 33 31 03 0D A3 13 00 00 00 00 45 C0 00 4C 00 00 31........E..L.. [ 48] 40 00 3F 11 95 0A C0 A8 33 31 C1 E6 F0 16 00 7B @.?.....31.....{ [ 64] 00 7B 00 38 93 37 23 03 0A EC 00 00 11 E3 00 13 .{.8.7#......... [ 80] BB 0A C1 E6 F0 16 D5 86 49 8C 95 67 7C 2B D5 86 ........I..g|+.. [ 96] 49 8C 94 62 D4 0A D5 86 49 8C 95 67 7C 2B D5 9A I..b....I..g|+.. [ 112] 41 B4 91 18 87 57 A....W (Event) sensor id: 0 event id: 2 event second: 1374667574 event microsecond: 908616 sig id: 7 gen id: 1 revision: 1 classification: 31 priority: 3 ip source: 192.168.51.1 ip destination: 192.168.51.49 src port: 3 dest port: 13 protocol: 1 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 2 event second: 1374667574 packet second: 1374667574 packet microsecond: 908616 linktype: 1 packet_length: 118 [ 0] B8 27 EB 34 9D 90 00 0C 42 BD 73 44 08 00 45 C0 .'.4....B.sD..E. [ 16] 00 68 E4 77 00 00 40 01 AD DA C0 A8 33 01 C0 A8 .h.w..@.....3... [ 32] 33 31 03 0D A3 13 00 00 00 00 45 C0 00 4C 00 00 31........E..L.. [ 48] 40 00 3F 11 95 0A C0 A8 33 31 C1 E6 F0 16 00 7B @.?.....31.....{ [ 64] 00 7B 00 38 93 37 23 03 0A EC 00 00 11 E3 00 13 .{.8.7#......... [ 80] BB 0A C1 E6 F0 16 D5 86 49 8C 95 67 7C 2B D5 86 ........I..g|+.. [ 96] 49 8C 94 62 D4 0A D5 86 49 8C 95 67 7C 2B D5 9A I..b....I..g|+.. [ 112] 41 B4 91 18 87 57 A....W Which decoded with u2boat and tcpdump mean: [root@ids eth4]# ./u2boat merged.log.1374667559 dump.alx Defaulting to pcap output. [root@ids eth4]# tcpdump -r dump.alx reading from file dump.alx, link-type EN10MB (Ethernet) 15:06:14.908616 IP 192.168.51.1 > 192.168.51.49: ICMP host 193.230.240.22 unreachable - admin prohibited filter, length 84 15:06:14.908616 IP 192.168.51.1 > 192.168.51.49: ICMP host 193.230.240.22 unreachable - admin prohibited filter, length 84 [root@ids eth4]# So, I think it matched with your test/debug rules found in /etc/snort/rules/local-test.rules alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; classtype:icmp-event; sid:7; rev:1;) alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; classtype:icmp-event; sid:8; rev:1;) If I'm turning off your debug rules, snort (with all rules updated daily using pulledpork), will not log anything!!! So, where is the mistake/problem? In case you need more infor or want to see content of any other directory or file on my computer, just let me know ... Regards, Alx ----- Original Message ----- From: "waldo kitty" <wkitty42 () windstream net> To: <snort-users () lists sourceforge net> Sent: Tuesday, July 23, 2013 7:12 PM Subject: Re: [Snort-users] snort suddenly stopped to record events
On 7/23/2013 04:02, linux () vfemail net wrote:Hi Waldo, Thanks for help :-). Tried provided debug rules and snort is working and logging events but only for UDP!!! Seems that something is missconfigured in my snort.conf file or some existent rules is blocking snort to log and alert. I am attaching here my snort.conf file, maybe you can identify what is wrong or you have a suggestion.everything posted looked ok... i don't see anything that jumps out in your snort.conf, either... you ran snort for just over 2 minutes (129.124889 seconds) and processed 310 packets... it is possible that there was no TCP packets during that time... try this... 1. edit local-test.rules 2. comment out the two UDP rules 3. save and exit 4. edit snort.conf 5. enable local-test.rules 6. save and exit 7. restart snort now generate some TCP traffic... browsing to a web site should work... does that TCP traffic show up now? don't forget to edit your snort.conf to disable local-test.rules when you finish running each set of tests... you really don't want snort to be grabbing everything... the logs can get monstrously huge ;) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------- VFEmail.net - http://www.vfemail.net $14.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort suddenly stopped to record events linux (Jul 22)
- Re: snort suddenly stopped to record events waldo kitty (Jul 22)
- Re: snort suddenly stopped to record events linux (Jul 23)
- Re: snort suddenly stopped to record events waldo kitty (Jul 23)
- Re: snort suddenly stopped to record events Alex (Jul 24)
- Re: snort suddenly stopped to record events Peter Bates (Jul 24)
- Re: snort suddenly stopped to record events waldo kitty (Jul 24)
- Re: snort suddenly stopped to record events Alex (Jul 26)
- Re: snort suddenly stopped to record events waldo kitty (Jul 26)
- Re: snort suddenly stopped to record events Alex (Jul 29)
- Re: snort suddenly stopped to record events linux (Jul 23)
- Re: snort suddenly stopped to record events waldo kitty (Jul 22)