Snort mailing list archives
Re: Snort Alert is Not Producing Any Timestamp
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Mon, 3 Jul 2017 14:52:49 +0000
Hello, What command are you using to start snort? What version of snort are you using? Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of Dimz via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>> Reply-To: Dimz <dimas_forever () yahoo com<mailto:dimas_forever () yahoo com>> Date: Monday, July 3, 2017 at 6:57 AM To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort org<mailto:snort-users () lists snort org>> Subject: [Snort-users] Snort Alert is Not Producing Any Timestamp Hi Everybody, I installed my snort 2.9 on Ubuntu server 16.04 on my VM. I installed my snort inline using NFQ from the following guide: http://sublimerobots.com/2017/06/snort-ips-with-nfq-routing-on-ubuntu/ The installation and the routing is successful, the ubuntu can forward packets and the snort can detect traffics. The only problem is, the alerts generated has no timestamp. Attached is the snort --daq-list dimz@ubuntu:/var/log/snort$ snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv nfq(v7): live inline multi ipfw(v3): live inline multi unpriv dump(v3): readback live inline multi unpriv afpacket(v5): live inline multi unpriv The snort.conf: config daq: nfq config daq_dir: /usr/local/lib/daq config daq_mode: inline config daq_var: queue=4 The iptables: dimz@ubuntu:/var/log/snort$ sudo iptables -vL Chain INPUT (policy ACCEPT 2149 packets, 164K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 16 1514 NFQUEUE all -- any any anywhere anywhere NFQUEUE num 4 bypass Chain OUTPUT (policy ACCEPT 2046 packets, 173K bytes) pkts bytes target prot opt in out source destination The NAT iptables (for port forwarding a web server behind Snort machine): dimz@ubuntu:/var/log/snort$ sudo iptables -vL -t nat Chain PREROUTING (policy ACCEPT 61 packets, 5536 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- any any anywhere anywhere tcp dpt:http-alt to:192.168.2.103:8080 Chain INPUT (policy ACCEPT 10 packets, 1888 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 484 packets, 30252 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 485 packets, 30336 bytes) pkts bytes target prot opt in out source destination 2 202 MASQUERADE all -- any ens33 anywhere anywhere The server epoch time: dimz@ubuntu:/var/log/snort$ date +'%s' 1499079069 result from tcpdump (the timestamp is correct): dimz@ubuntu:/var/log/snort$ sudo tcpdump -i ens33 dst host 192.168.2.103 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 17:51:58.297893 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 1, length 64 17:51:59.300042 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 2, length 64 17:52:00.304461 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 3, length 64 17:52:01.305757 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 4, length 64 I output my snort alert into 2 outputs: alert.full and snort.u2. Here is the output from alert.full (I create a simple Ping Detection Rule): dimz@ubuntu:/var/log/snort$ tail -f alert.full 01/01-07:00:00.000000 192.168.174.129 -> 192.168.2.103 ICMP TTL:63 TOS:0x0 ID:17418 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:2379 Seq:3 ECHO [**] [1:10000001:1] ICMP Test Detected [**] [Classification: Generic ICMP event] [Priority: 3] 01/01-07:00:00.000000 192.168.174.129 -> 192.168.2.103 ICMP TTL:63 TOS:0x0 ID:17470 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:2379 Seq:4 ECHO Here is the output from snort.u2: (Event) sensor id: 0 event id: 7 event second: 0 event microsecond: 0 sig id: 10000001 gen id: 1 revision: 1 classification: 31 priority: 3 ip source: 192.168.174.129 ip destination: 192.168.2.103 src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 7 event second: 0 packet second: 0 packet microsecond: 0 linktype: 228 packet_length: 84 [ 0] 45 00 00 54 44 3E 40 00 3F 01 C5 31 C0 A8 AE 81 E..TD>@.?..1.... [ 16] C0 A8 02 67 08 00 2E 91 09 4B 00 04 6E 21 5A 59 ...g.....K..n!ZY [ 32] 00 00 00 00 33 D2 05 00 00 00 00 00 10 11 12 13 ....3........... [ 48] 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 ............ !"# [ 64] 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 $%&'()*+,-./0123 [ 80] 34 35 36 37 4567 Why timestamp is not detected??? Need Help please. I have been dealing with this issue for days, and I have been trying to do intensive google search to find similar issue but still no luck. Thank you very much. -Dimz-
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Alert is Not Producing Any Timestamp Dimz via Snort-users (Jul 03)
- Re: Snort Alert is Not Producing Any Timestamp Al Lewis (allewi) via Snort-users (Jul 03)
- Re: Snort Alert is Not Producing Any Timestamp Dimz via Snort-users (Jul 03)
- Re: Snort Alert is Not Producing Any Timestamp Al Lewis (allewi) via Snort-users (Jul 03)