Snort mailing list archives

Re: Snort not logging to /var/log/snort

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Wed, 18 Mar 2015 23:12:20 +0000
Hello,

        Are you generating traffic that would create an alert? Traffic generated with "-v" doesn't necessarily fire an 
IDS rule.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi () cisco com 

-----Original Message-----
From: Mark Sellers [mailto:msellers () equimed com] 
Sent: Wednesday, March 18, 2015 5:38 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort not logging to /var/log/snort

This is a new install to a Centos 7 64-bit server

I was able to install and test the Snort software following the online guide for Centos 6/7

Running:

/usr/local/bin/snort -T -i enp5s0f0 -u snort -g snort -c /etc/snort/snort.conf


Resulted in a whole bunch of stuff, but finished with:

pcap DAQ configured to passive.
Acquiring network traffic from "enp5s0f0".
Set gid to 40000
Set uid to 40000

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.2 GRE (Build 177)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>

Snort successfully validated the configuration!
Snort exiting

If I run:

/usr/local/bin/snort -v -i

out streams the port activity - Everything Seems Great, but when I run:

/usr/local/bin/snort -D -i enp5s0f0 -u snort -g snort -c /etc/snort/snort.conf

I get:

Spawning daemon child...
My daemon child 29197 lives...
Daemon parent exiting (0)

I note that in /var/log/snort, I now have an alert and snort.log files! BUT nothing is ever logged to these files. No 
alarms are being logged.

Any ideas?

Note: I have set ownership and permissions to /var/log/snort as follows:

chown -R snort:snort /var/log/snort
chmod -R 700 /var/log/snort

and upon creation, alert and snort.log both are owned by user/group snort with permissions 600.

Please help me figure this out as I would really like to be using snort.

Thanks,
Mark
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership 
with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to 
news, videos, case studies, tutorials and more. Take a look and join the conversation now. 
http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:

Snort not logging to /var/log/snort Mark Sellers (Mar 18)
- Re: Snort not logging to /var/log/snort Al Lewis (allewi) (Mar 18)