Snort mailing list archives

Re: snort suddenly stopped to record events

From: "Alex" <linux () vfemail net>
Date: Wed, 24 Jul 2013 17:00:18 +0300

Hi Waldo,

Thanks again for your help. I've collected more info, see below :-)

just commenting out UDP rules in /etc/snort/rules/local-test.rules:

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; 
classtype:misc-activity; sid:5; rev:1;)
#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; 
classtype:misc-activity; sid:6; rev:1;)

will still continue to log UDP packets in syslog!!!!

Jul 24 13:56:14 ids snort: [1:4:1] ip traffic outbound [Classification: 
Unknown Traffic] [Priority: 3] {UDP} 192.168.51.10:138 -> 192.168.51.255:138
Jul 24 13:56:14 ids snort: [1:3:1] ip traffic inbound [Classification: 
Unknown Traffic] [Priority: 3] {UDP} 192.168.51.10:138 -> 192.168.51.255:138

Commenting out also ip rules in /etc/snort/rules/local-test.rules, will 
cause snort to stop logging UDP packets.

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; 
classtype:unknown; sid:3; rev:1;)
#alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; 
classtype:unknown; sid:4; rev:1;)

but this time, in merged.log, nothing is recorded! To isolate somehow the 
problem:

- on one terminal I've started a tcpdump -v tcp -i eth4
- on second terminal, i've started: snort -u snort -g snort snort -c 
/etc/snort/snort.conf

on my host (192.168.51.59) I've telneted host 192.168.51.61 on port 80 
(which is a network printer) and has a management interface listening on 
port 80

See below logs:
[root@ids ~]# tcpdump -v -nn tcp -i eth4
tcpdump: WARNING: eth4: no IPv4 address assigned
tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 96 
bytes
14:51:45.701106 IP (tos 0x0, ttl  64, id 27972, offset 0, flags [DF], proto: 
TCP (6), length: 48) 192.168.51.61.80 > 192.168.51.59.1984: S, cksum 0xf7ba 
(correct), 3548862483:3548862483(0) ack 3068431451 win 11680 <mss 
1460,nop,wscale 0>
14:51:45.702054 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP 
(6), length: 40) 192.168.51.61.80 > 192.168.51.59.1984: R, cksum 0x946b 
(correct), 3548862484:3548862484(0) win 0

[root@ids snort]# tail -f /var/log/messages|grep snort
Jul 24 14:51:45 ids snort: [1:2:1] tcp traffic outbound [Classification: A 
TCP connection was detected] [Priority: 4] {TCP} 192.168.51.61:80 -> 
192.168.51.59:1984
Jul 24 14:51:45 ids snort: [1:1:1] tcp traffic inbound [Classification: A 
TCP connection was detected] [Priority: 4] {TCP} 192.168.51.61:80 -> 
192.168.51.59:1984
Jul 24 14:51:45 ids snort: [1:2:1] tcp traffic outbound [Classification: A 
TCP connection was detected] [Priority: 4] {TCP} 192.168.51.61:80 -> 
192.168.51.59:1984
Jul 24 14:51:45 ids snort: [1:1:1] tcp traffic inbound [Classification: A 
TCP connection was detected] [Priority: 4] {TCP} 192.168.51.61:80 -> 
192.168.51.59:1984

Now, I have a question, to be sure that I am understanding correctly snort 
functionality.

Supposing that barnyard IS NOT STARTED and udp and ip rules are enabled in 
local-test.rules, I am able to see that in merged.log will be recorderded 
some things and also in syslog will appear alerts!!!!

Now, in snort.conf I have 2 lines defined for output:

output unified2: filename merged.log, limit 128

and

output alert_syslog: LOG_AUTH LOG_ALERT


What line in snort.conf will produce alerts in syslog?


As far as I understand, output unified2: filename merged.log, is related to 
barnyard and will not record in syslog.

ONLY when barnyard2 will be started, merged.log file will be read and in 
case will be some alerts, barbyard2 will write them in syslog. Correct?

The second line (output alert_syslog: LOG_AUTH LOG_ALERT), will be 
responsible to write direct in syslog and has nothing to do with merged.log 
file above. Right?

So answer to my question above is: output alert_syslog: LOG_AUTH LOG_ALERT! 
Right?

Now, I've started snort as daemon and tried to generate some traffic again, 
telneting another host from the same source (192.168.51.59)

telnet 192.168.51.100 80! Unfortunatelly, this time tcpdump will show and 
record only arp request:

[root@ids ~]# tcpdump -i eth4 -v host 192.168.51.59
tcpdump: WARNING: eth4: no IPv4 address assigned
tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 96 
bytes
16:20:41.672663 arp who-has 192.168.51.59 tell 192.168.51.100

and this event is not recorded/alerted by snort even connection has been 
established. Is this normal?

Anyway, in this time, something has been recorded in merged.log file. I've 
decoded using u2spewfoo, see blelow:

[root@ids eth4]# ./u2spewfoo merged.log.1374667559
(Event)
        sensor id: 0    event id: 1     event second: 1374667574 
event microsecond: 908616
        sig id: 8       gen id: 1       revision: 1      classification: 31
        priority: 3     ip source: 192.168.51.1 ip destination: 
192.168.51.49
        src port: 3     dest port: 13   protocol: 1     impact_flag: 0 
blocked: 0

Packet
        sensor id: 0    event id: 1     event second: 1374667574
        packet second: 1374667574       packet microsecond: 908616
        linktype: 1     packet_length: 118
[    0] B8 27 EB 34 9D 90 00 0C 42 BD 73 44 08 00 45 C0  .'.4....B.sD..E.
[   16] 00 68 E4 77 00 00 40 01 AD DA C0 A8 33 01 C0 A8  .h.w..@.....3...
[   32] 33 31 03 0D A3 13 00 00 00 00 45 C0 00 4C 00 00  31........E..L..
[   48] 40 00 3F 11 95 0A C0 A8 33 31 C1 E6 F0 16 00 7B  @.?.....31.....{
[   64] 00 7B 00 38 93 37 23 03 0A EC 00 00 11 E3 00 13  .{.8.7#.........
[   80] BB 0A C1 E6 F0 16 D5 86 49 8C 95 67 7C 2B D5 86  ........I..g|+..
[   96] 49 8C 94 62 D4 0A D5 86 49 8C 95 67 7C 2B D5 9A  I..b....I..g|+..
[  112] 41 B4 91 18 87 57                                A....W

(Event)
        sensor id: 0    event id: 2     event second: 1374667574 
event microsecond: 908616
        sig id: 7       gen id: 1       revision: 1      classification: 31
        priority: 3     ip source: 192.168.51.1 ip destination: 
192.168.51.49
        src port: 3     dest port: 13   protocol: 1     impact_flag: 0 
blocked: 0

Packet
        sensor id: 0    event id: 2     event second: 1374667574
        packet second: 1374667574       packet microsecond: 908616
        linktype: 1     packet_length: 118
[    0] B8 27 EB 34 9D 90 00 0C 42 BD 73 44 08 00 45 C0  .'.4....B.sD..E.
[   16] 00 68 E4 77 00 00 40 01 AD DA C0 A8 33 01 C0 A8  .h.w..@.....3...
[   32] 33 31 03 0D A3 13 00 00 00 00 45 C0 00 4C 00 00  31........E..L..
[   48] 40 00 3F 11 95 0A C0 A8 33 31 C1 E6 F0 16 00 7B  @.?.....31.....{
[   64] 00 7B 00 38 93 37 23 03 0A EC 00 00 11 E3 00 13  .{.8.7#.........
[   80] BB 0A C1 E6 F0 16 D5 86 49 8C 95 67 7C 2B D5 86  ........I..g|+..
[   96] 49 8C 94 62 D4 0A D5 86 49 8C 95 67 7C 2B D5 9A  I..b....I..g|+..
[  112] 41 B4 91 18 87 57                                A....W

Which decoded with u2boat and tcpdump mean:

[root@ids eth4]# ./u2boat merged.log.1374667559 dump.alx
Defaulting to pcap output.

[root@ids eth4]# tcpdump -r dump.alx
reading from file dump.alx, link-type EN10MB (Ethernet)
15:06:14.908616 IP 192.168.51.1 > 192.168.51.49: ICMP host 193.230.240.22 
unreachable - admin prohibited filter, length 84
15:06:14.908616 IP 192.168.51.1 > 192.168.51.49: ICMP host 193.230.240.22 
unreachable - admin prohibited filter, length 84
[root@ids eth4]#

So, I think it matched with your test/debug rules found in 
/etc/snort/rules/local-test.rules

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; 
classtype:icmp-event; sid:7; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; 
classtype:icmp-event; sid:8; rev:1;)

If I'm turning off your debug rules, snort (with all rules updated daily 
using pulledpork), will not log anything!!!

So, where is the mistake/problem? In case you need more infor or want to see 
content of any other directory or file on my computer, just let me know ...

Regards,
Alx
----- Original Message ----- 
From: "waldo kitty" <wkitty42 () windstream net>
To: <snort-users () lists sourceforge net>
Sent: Tuesday, July 23, 2013 7:12 PM
Subject: Re: [Snort-users] snort suddenly stopped to record events

On 7/23/2013 04:02, linux () vfemail net wrote:

Hi Waldo,

Thanks for help :-). Tried provided debug rules and snort is working and 
logging
events but only for UDP!!!

Seems that something is missconfigured in my snort.conf file or some 
existent
rules is blocking snort to log and alert. I am attaching here my 
snort.conf
file, maybe you can identify what is wrong or you have a suggestion.


everything posted looked ok... i don't see anything that jumps out in your
snort.conf, either... you ran snort for just over 2 minutes (129.124889 
seconds)
and processed 310 packets... it is possible that there was no TCP packets 
during
that time...

try this...

1. edit local-test.rules
2. comment out the two UDP rules
3. save and exit
4. edit snort.conf
5. enable local-test.rules
6. save and exit
7. restart snort

now generate some TCP traffic... browsing to a web site should work...

does that TCP traffic show up now?

don't forget to edit your snort.conf to disable local-test.rules when you 
finish
running each set of tests... you really don't want snort to be grabbing
everything... the logs can get monstrously huge ;)

-- 
NOTE: No off-list assistance is given without prior approval.
      Please keep mailing list traffic on the list unless
      private contact is specifically requested and granted.

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort 
news!



-------------------------------------------------

VFEmail.net - http://www.vfemail.net
$14.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort suddenly stopped to record events linux (Jul 22)
- Re: snort suddenly stopped to record events waldo kitty (Jul 22)
  - Re: snort suddenly stopped to record events linux (Jul 23)
    - Re: snort suddenly stopped to record events waldo kitty (Jul 23)
    - Re: snort suddenly stopped to record events Alex (Jul 24)
    - Re: snort suddenly stopped to record events Peter Bates (Jul 24)
    - Re: snort suddenly stopped to record events waldo kitty (Jul 24)
    - Re: snort suddenly stopped to record events Alex (Jul 26)
    - Re: snort suddenly stopped to record events waldo kitty (Jul 26)
    - Re: snort suddenly stopped to record events Alex (Jul 29)