RE: Snort won't log anything! Please help...

["Kalteis, Nico (Contractor)" <Nico.Kalteis () ed gov>]

I don't know, but here is the command line I used (just one of many that
didn't work):

C:\Snort\bin>snort -de -c c:\snort\etc\snort3.conf -l c:\snort\log

Once I typed that in here is what I got, indicating that Snort started OK.
NOTE: Please note that instead of including the rules files I put a single
sample rule straight in the snort.conf file.

> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >

Log directory = c:\snort\log

Initializing Network Interface \

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface
\Device\NPF_{C1372086-F27F-4F28-96B7-1709ECF2DAE7
}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file c:\snort\etc\snort3.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 0
    Self preservation period: 0
    Suspend threshold: 0
    Suspend period: 0
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

1 Snort rules read...
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.9.1-ODBC-MySQL-MSSQL-WIN32 (Build 231)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8-1.9 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)

> > > > > > > > > > > > > > > > > > > > > > > > > > >

The snort.conf file itself is basically untouched, except that I included
the single rule:

alert tcp any any -> any 80

which is the only way I could log SOMEthing.  The moment I put the real
CMD.EXE rule (the one I used as an example) nothing got logged.

Thanks for any help!

Nico






-----Original Message-----
From: Erek Adams [mailto:erek () snort org]
Sent: Friday, March 28, 2003 2:57 PM
To: Kalteis, Nico (Contractor)
Cc: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Snort won't log anything! Please help...


On Fri, 28 Mar 2003, Kalteis, Nico (Contractor) wrote:

> By the way, I just noticed this:  When I simply use the rule
>
> alert any any -> any any
>
> Snort logs just fine.  It sets up a whole separate folder for any IP
address
> it talks to.
>
> But the moment I add ANYTHING behind that line containing a signature it
> just sits there and does nothing.  Specifically, I tried this with a
simple
> "cmd.exe" rule.  Then I kept cutting down the signature part until all i
was
> left with was (content:"cmd.exe";) but to no avail.  Can anybody tell me
why
> it will log packets but not if I include a signature it's supposed to
match?

That says your .conf file isn't right in some manner.

How are you starting snort?  What does your command line read?  Are you
trying to use relative paths?  Are you using -l <logdir>?  What do you
have defined as your RULE_PATH?  What does the output <foo> line look
like?

Give us a bit more hard data, and we'll be better equiped to help you out.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson