Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Alert is Not Producing Any Timestamp

From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Mon, 3 Jul 2017 14:52:49 +0000
Hello,

What command are you using to start snort?

What version of snort are you using?

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
Dimz via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Reply-To: Dimz <dimas_forever () yahoo com<mailto:dimas_forever () yahoo com>>
Date: Monday, July 3, 2017 at 6:57 AM
To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort 
org<mailto:snort-users () lists snort org>>
Subject: [Snort-users] Snort Alert is Not Producing Any Timestamp

Hi Everybody,

I installed my snort 2.9 on Ubuntu server 16.04 on my VM. I installed my snort inline using NFQ from the following 
guide: http://sublimerobots.com/2017/06/snort-ips-with-nfq-routing-on-ubuntu/

The installation and the routing is successful, the ubuntu can forward packets and the snort can detect traffics. The 
only problem is, the alerts generated has no timestamp.

Attached is the snort --daq-list
dimz@ubuntu:/var/log/snort$ snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

The snort.conf:
config daq: nfq
config daq_dir: /usr/local/lib/daq
config daq_mode: inline
config daq_var: queue=4

The iptables:
dimz@ubuntu:/var/log/snort$ sudo iptables -vL
Chain INPUT (policy ACCEPT 2149 packets, 164K bytes)
pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
   16  1514 NFQUEUE    all  --  any    any     anywhere             anywhere             NFQUEUE num 4 bypass

Chain OUTPUT (policy ACCEPT 2046 packets, 173K bytes)
pkts bytes target     prot opt in     out     source               destination

The NAT iptables (for port forwarding a web server behind Snort machine):
dimz@ubuntu:/var/log/snort$ sudo iptables -vL -t nat
Chain PREROUTING (policy ACCEPT 61 packets, 5536 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             tcp dpt:http-alt 
to:192.168.2.103:8080

Chain INPUT (policy ACCEPT 10 packets, 1888 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 484 packets, 30252 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 485 packets, 30336 bytes)
pkts bytes target     prot opt in     out     source               destination
    2   202 MASQUERADE  all  --  any    ens33   anywhere             anywhere

The server epoch time:
dimz@ubuntu:/var/log/snort$ date +'%s'
1499079069

result from tcpdump (the timestamp is correct):
dimz@ubuntu:/var/log/snort$ sudo tcpdump -i ens33 dst host 192.168.2.103
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
17:51:58.297893 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 1, length 64
17:51:59.300042 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 2, length 64
17:52:00.304461 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 3, length 64
17:52:01.305757 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 4, length 64

I output my snort alert into 2 outputs: alert.full and snort.u2. Here is the output from alert.full (I create a simple 
Ping Detection Rule):
dimz@ubuntu:/var/log/snort$ tail -f alert.full
01/01-07:00:00.000000 192.168.174.129 -> 192.168.2.103
ICMP TTL:63 TOS:0x0 ID:17418 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:2379   Seq:3  ECHO

[**] [1:10000001:1] ICMP Test Detected [**]
[Classification: Generic ICMP event] [Priority: 3]
01/01-07:00:00.000000 192.168.174.129 -> 192.168.2.103
ICMP TTL:63 TOS:0x0 ID:17470 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:2379   Seq:4  ECHO

Here is the output from snort.u2:
(Event)
        sensor id: 0    event id: 7     event second: 0 event microsecond: 0
        sig id: 10000001        gen id: 1       revision: 1      classification: 31
        priority: 3     ip source: 192.168.174.129      ip destination: 192.168.2.103
        src port: 8     dest port: 0    protocol: 1     impact_flag: 0  blocked: 0

Packet
        sensor id: 0    event id: 7     event second: 0
        packet second: 0        packet microsecond: 0
        linktype: 228   packet_length: 84
[    0] 45 00 00 54 44 3E 40 00 3F 01 C5 31 C0 A8 AE 81  E..TD>@.?..1....
[   16] C0 A8 02 67 08 00 2E 91 09 4B 00 04 6E 21 5A 59  ...g.....K..n!ZY
[   32] 00 00 00 00 33 D2 05 00 00 00 00 00 10 11 12 13  ....3...........
[   48] 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23  ............ !"#
[   64] 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33  $%&'()*+,-./0123
[   80] 34 35 36 37                                      4567


Why timestamp is not detected???

Need Help please.
I have been dealing with this issue for days, and I have been trying to do intensive google search to find similar 
issue but still no luck.

Thank you very much.

-Dimz-

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: