Snort mailing list archives
Snort and Banyard2 no data in logs.
From: Salvo <ilasa01 () linux rokeby com>
Date: Thu, 24 Oct 2013 16:56:43 +0100
Hello Members, I am not a Snort expert and trying to set up a working configuration. The problem which I experience is that snort logs are empty. This is what I have configured starting from the basics. * Network configuration:* Server has two NICs. One is in the DMZ, the second is in the green zone. Snort is configured for the NIC in the DMZ only, from where the external traffic arrives. *SNORT *- snort-2.9.5.5; - snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv ipfw(v2): live inline multi unpriv dump(v1): readback live inline multi unpriv afpacket(v4): live inline multi unpriv - snort.conf ipvar HOME_NET 10.X.X.X/24 ipvar EXTERNAL_NET any ipvar DNS_SERVERS $HOME_NET ipvar SMTP_SERVERS $HOME_NET ipvar HTTP_SERVERS $HOME_NET ipvar SQL_SERVERS $HOME_NET ipvar TELNET_SERVERS $HOME_NET ipvar SSH_SERVERS $HOME_NET ipvar FTP_SERVERS $HOME_NET ipvar SIP_SERVERS $HOME_NET . . config pcre_match_limit: 3500 config pcre_match_limit_recursion: 1500 . . config event_queue: max_queue 8 log 5 order_events content_length . output unified2: filename snort.log, limit 128 - Snort status root 15999 1 0 11:34 ? 00:00:08 snort -i eth0 -c /etc/snort.conf -l /var/log/snort -v - Snort troubleshooting When snort runs, I see packets flow in my console. No errors in the server messages file. Snort creates "snort.log.138670864" file in the log directory, but it remains empty. *Barnyard2 * - barnyard2-1.9 - barnyard2.conf config logdir: /var/log/snort config hostname: localhost config interface: eth0 config alert_with_interface_name config set_gid: XXXXX ----> this is the snort user GID; config set_uid: XXXXX ----> this is the snort user UID; config waldo_file: /var/log/snort/barnyard2.waldo config umask: 066 config verbose config reference_net: 10.X.X.X/24 output alert_fast: stdout output alert_syslog output alert_syslog: host=XXX.XXX.XXX.XXX output alert_syslog: host=server.domain.com:123 output database: log, mysql, user=snort_user password=snort_password dbname=snortdb host=servername -Barnyard status snort 35xx6 1 0 16:07 ? 00:00:00 ./barnyard2 -c /etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D - Barnyard troubleshooting the following status is logged in the messages file when barnyard starts with the following command: ./barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D ======================================== barnyard2[17xx]: =============================================================================== Oct 24 16:07:23 server barnyard2[17xxx]: Record Totals: Oct 24 16:07:23 server barnyard2[17xxx]: Records: 0 Oct 24 16:07:23 server barnyard2[17xxx]: Events: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: Packets: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: =============================================================================== Oct 24 16:07:23 server barnyard2[17xxx]: Packet breakdown by protocol (includes rebuilt packets): Oct 24 16:07:23 server barnyard2[17xxx]: ETH: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: ETHdisc: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: VLAN: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: IPV6: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: IP6 EXT: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: IP6opts: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: IP6disc: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: IP4: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: IP4disc: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: TCP 6: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: UDP 6: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: ICMP6: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: ICMP-IP: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: TCP: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: UDP: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: ICMP: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: TCPdisc: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: UDPdisc: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: ICMPdis: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: FRAG: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: FRAG 6: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: ARP: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: EAPOL: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: ETHLOOP: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: IPX: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: OTHER: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: DISCARD: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: InvChkSum: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: S5 G 1: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: S5 G 2: 0 (0.000%) Oct 24 16:07:23 server barnyard2[17xxx]: Total: 0 Oct 24 16:07:23 server barnyard2[17xxx]: =============================================================================== Oct 24 16:07:46 server barnyard2[35xx]: Running in Continuous mode Oct 24 16:07:46 server barnyard2[35xx]: Oct 24 16:07:46 server barnyard2[35xx]: --== Initializing Barnyard2 ==-- Oct 24 16:07:46 server barnyard2[35xx]: Initializing Input Plugins! Oct 24 16:07:46 server barnyard2[35xx]: Initializing Output Plugins! Oct 24 16:07:46 server barnyard2[35xx]: Parsing config file "/etc/barnyard2.conf" Oct 24 16:07:49 server barnyard2[35xx]: Log directory = /var/log/snort Oct 24 16:07:49 server barnyard2[35xx]: No arguments to alert_syslog preprocessor! Oct 24 16:07:49 server snort[35xx]: WARNING => Unrecognized syslog facility/priority: host=xxx.xxx.xxx.xxx Oct 24 16:07:49 server snort[35xx]: WARNING => Unrecognized syslog facility/priority: host=server.domain.com:123 Oct 24 16:07:49 server snort[35xx]: Initializing daemon mode Oct 24 16:07:49 server snort[35xx]: Daemon initialized, signaled parent pid: 35xx Oct 24 16:07:49 server snort[35xx]: PID path stat checked out ok, PID path set to /var/run/ Oct 24 16:07:49 server snort[35xx]: Writing PID "35xx" to file "/var/run//barnyard2_eth0.pid" Oct 24 16:07:49 server snort[35xx]: Node unique name is: server:eth0 Oct 24 16:07:49 server snort[35xx]: Daemon parent exiting Oct 24 16:07:49 server snort[35xx]: database: compiled support for (mysql) Oct 24 16:07:49 server snort[35xx]: database: configured to use mysql Oct 24 16:07:49 server snort[35xx]: database: schema version = 107 Oct 24 16:07:49 server snort[35xx]: database: host = server Oct 24 16:07:49 server snort[35xx]: database: user = snort_user Oct 24 16:07:49 server snort[35xx]: database: database name = snort_db Oct 24 16:07:49 server snort[35xx]: database: sensor name = server:eth0 Oct 24 16:07:49 server snort[35xx]: database: sensor id = 1 Oct 24 16:07:49 server snort[35xx]: database: sensor cid = 1 Oct 24 16:07:49 server snort[35xx]: database: data encoding = hex Oct 24 16:07:49 server snort[35xx]: database: detail level = full Oct 24 16:07:49 server snort[35xx]: database: ignore_bpf = no Oct 24 16:07:49 server snort[35xx]: database: using the "log" facility Oct 24 16:07:49 server snort[35xx]: --== Initialization Complete ==-- Oct 24 16:07:49 server snort[35xx]: Barnyard2 initialization completed successfully (pid=35xx) Oct 24 16:07:49 server snort[35xx]: WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.waldo' Oct 24 16:07:49 server snort[35xx]: Waiting for new spool file - Log Directory the snort directory rights are: drwx------ 2 snort snort 4096 Oct 24 11:40 snort the snort log files are: -rw-r--r-- 1 root root 0 Oct 24 11:34 alert -rw-r--r-- 1 root root 0 Oct 24 11:40 barnyard2.waldo -rw------- 1 root root 0 Oct 24 11:34 snort.log.138670864 ==================================== What I am doing wrong? Any help would be appreciated. Thanks. Salvo
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- disabling specific snort rules Roland RoLaNd (Oct 24)
- Re: disabling specific snort rules James Lay (Oct 24)
- Re: disabling specific snort rules Roland RoLaNd (Oct 24)
- Snort and Banyard2 no data in logs. Salvo (Oct 24)
- Re: Snort and Banyard2 no data in logs. waldo kitty (Oct 24)
- Re: disabling specific snort rules James Lay (Oct 24)
- Re: disabling specific snort rules JJC (Oct 24)
- Re: disabling specific snort rules Roland RoLaNd (Oct 27)
- Re: disabling specific snort rules James Lay (Oct 27)
- Re: disabling specific snort rules Joel Esler (Oct 27)
- Re: disabling specific snort rules Roland RoLaNd (Oct 24)
- Re: disabling specific snort rules James Lay (Oct 24)
- Re: disabling specific snort rules waldo kitty (Oct 24)