Snort mailing list archives
Re: RE: Snort not logging to the /var/log/snort/alert file
From: ids () san rr com
Date: Wed, 24 Mar 2004 16:15:23 -0800
Jim, You are right about the chmod 777. I know better then to open up a file like that. I'm just frustrated trying to get this fixed. I've tried everything and can't seem to get Snort to write to the alert file. I also tried your suggestion: mv /var/log/snort/alert /var/log/snort/alert.old kill -HUP `cat /var/run/snort_eth0.pid` and I could not get Snort to recreate the alert file. I think I'm going to just start from scratch and rebuild Snort again. I was kind of thrust on this project for work and basically I'm having to learn alot. I really like to learn new things so this is very exciting to me. Tnanks you for your sudo suggestion. I wasn't even aware of it and I'm going to implement it when a start over. Now a little background on why I was messing with the alert file you (or anybody else) might be able to help me on. I had everything on Snort working (Snort, MYSQL, ACID, PHP and Apache) and was trying to get Swatch to work. I got Swatch to install and edited my .swatchrc file which looked like this: watchfor /snort/ echo=green_h mail=ids () san rr com,subject=--- Snort Test Alert! --- exec echo $0 >> /var/log/swatch.log throttle 00:00:10 I used this command to start Swatch: swatch -c /root/.swatchrc -t /var/log/snort/alert Swatch runs after this command without an errors. Now I don't know exactly why Swatch is having problems. Is it because of a configuration in sendmail or Swatch itself... there are no logs I can refer to and docs online are kind of sparse. I would assume if Swatch was working I would see an echo in my console and in my swatch.log file. RH9 by default comes with sendmail. I can send emails out using the mail command. I thought Swatch monitored the alert file in /var/log/snort for a string it was set to recognize (/snort/) and would send me an alert through email. I was wondering if maybe I forget something in Swatch such as a setting in sendmail or somethine else I missed. I hope I don't get stuck again once I rebuild Snort so I figured I'd ask now. Thank you for all your help! Alan Windows sucks! :) ----- Original Message ----- From: Jim Hendrick <jrhendri () maine rr com> Date: Wednesday, March 24, 2004 3:09 pm Subject: RE: [Snort-users] Snort not logging to the /var/log/snort/alert file
Subject: Re: [Snort-users] Snort not logging to the /var/log/snort/alert file but I did type chmod 777 /var/log/snort under root. Is this all I need to do?AAAHHHHHH!!!! NOOOOOOOO!!!!!! um, sorry. I had to do that... You should not simply "chmod 777" anything just to make something easier. If you do, you are not only creating a potentially disasterous security problem, you obviously are misunderstanding how the thingy is supposed to work and need to do a bit of research. Also (gratuitous advice warning) you should learn a bit about "sudo" before you do too much simply logging in as root. This is a great utility thatallows a normally non-privileged user to execute single commands as another user (normally root). I cannot tell you how many times it has made my life easier. One of the first things I do when I build a linux (or any other UNIX) box is to add my account to the "sudoers" file. You can do this by (as root) running "visudo" which will put you in a vi-like editor in the configurationfile for sudo. You can find a line that looks like: # User privilege specification root ALL=(ALL) ALL and duplicate it, replacing "root" with your userid. After this, login as yourself and try: sudo pwd (or any other innocuous command) sudo will prompt you for your own password and then execute the command as root. OK, now we can talk about snort a bit. Snort should be started as root so it can put the interface into promiscuousmode. This also allows it to open the alert file as root (or create one if none exists). Like: sudo snort -A Full -c /wherever/you/have/your/snort.conf -l /wherever/you/want/to/log By default it will log to /var/log/snort/ using the filename "alert". If things work normally, you should not have *any* alert file there when you start snort and it will immediately create one. You can do somewhat better than this if you want by creating a separate user and group with limited permissions (like home directory of /dev/null and default shell of /bin/false) and have snort change to that user/group after startup. There are several reasons you might want to do this that I will not go into right now. However, snort still needs to be able to read from the network (so it needs to start as root) and it needs to be able to write to wherever you tell it (/var/log/snort/alert is normally the default location for the alert file). If you want to run it as user snort, group snort, then that user/group would need to be able to write to the appropriate directory. Like: sudo snort -u snort -g snort -A Full -c blah blah blah... and as long as wherever you log to is writable by user (or group) snort,that will be OK. That said, many people simply let it run as root (at least when they are learning) and have /var/log/snort/ owned by root. Snort will try to limit the number of users who can read its output (you don't want or need unprivileged users reading what is happening on the network) so it createsthe alert file and related directories only readable by whatever user it is running as (recall, this is root by default) The upshot of this long winded rant is that you don't need (or probablywant) to chmod the alert file. You simply let snort start as root and then make sure when you look at the file you are doing so *as* root. (do take the time to make friends with "sudo" please.) Now your original question was that you had removed the alert file whilesnort was running and you could not "recreate" it. This has to do with the fact that the snort process opened the original file when it started and kept that filehandle open. Your removing the file did not change that fact. And snort would not normally need to re-create the alert file, so all your efforts to do so were in vain. If you read some of the documentation, you would find that if you send a hangup (HUP) signal to a running snort process, it will cause it to re-read it's configuration files and re-start writing to the log file (by opening a new one if it needs to). This is a common way to "rotate" the log file so as not to let it grow without bound. (That is, you would do something like: (using sudo, or in a root cronjob) mv /var/log/snort/alert /var/log/snort/alert.old kill -HUP `cat /var/run/snort_eth0.pid` Assuming your snort process is listening to eth0 and you have chosen the default naming convention for the process id file, this will cause snort to open a new file /var/log/snort/alert and you can do what you like with the old one. Hope this helps. Really sounds like you need to take some time to learn a bit of basic UNIX while you are learning snort. You should be aware that if you want (and feel more comfortable in a Windows environment) there is a win32 port of snort you could play with also. Later, Jim run a command that sends a kill -HUP to the snort process id (PID) ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort not logging to the /var/log/snort/alert file ids (Mar 24)
- RE: Snort not logging to the /var/log/snort/alert file Jim Hendrick (Mar 24)
- Re: Snort not logging to the /var/log/snort/alert file Christopher Cramer (Mar 25)
- <Possible follow-ups>
- Re: RE: Snort not logging to the /var/log/snort/alert file ids (Mar 24)
- RE: RE: Snort not logging to the /var/log/snort/alertfile Jim Hendrick (Mar 24)
- Great news! Snort not logging to the /var/log/snort/aler tfile Alan (Mar 25)
- RE: Great news! Snort not logging to the /var/log/snort/aler tfile Jim Hendrick (Mar 25)
- RE: RE: Snort not logging to the /var/log/snort/alertfile Jim Hendrick (Mar 24)
- Re: RE: Snort not logging to the /var/log/snort/alert file twig les (Mar 24)