Snort mailing list archives
Nothing written to logfiles
From: James Sinnamon <jaymz () bigpond net au>
Date: Tue, 15 Jun 2004 17:14:10 +1000
Dear snort developers and users, I am not getting anything written to my log files. I have scanned my own host from a separate Internet connection: sleepyhollow:sinnamon$nmap -p 21,22,80,443 144.136.251.208 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on CPE-144-136-251-208.nsw.bigpond.net.au (144.136.251.208): (The 1 port scanned but not shown below is in state: closed) Port State Service 21/tcp filtered ftp 80/tcp open http 443/tcp open https Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds .../but snort does not report anything. The log files are nearly empty, and were not caused to be updated by the scan. greenhouse:/etc/init.d# ls -lt /var/log/snort total 24 -rw-r----- 1 root adm 24 2004-06-15 15:04 snort.log.1087275893 -rw-r----- 1 root adm 24 2004-06-15 14:52 snort.log.1087275135 -rw-r----- 1 root adm 24 2004-06-15 14:51 ... -rw-r----- 1 root adm 24 2004-06-12 23:40 snort.log.1087045143 -rw-r----- 1 snort adm 141 2004-06-12 23:36 alert The snort process looks like: greenhouse:/etc/init.d# ps auxwww | grep snort snort 2030 0.9 3.6 36732 33164 ? Rs 16:57 0:00 /usr/sbin/snort \ -m 027 -D -c /etc/snort/snort.conf -l /var/log/snort -d -u snort -g snort \ -O -S HOME_NET=[192.168.0.0/24] -i eth0 My /etc/etc/snort.conf is: var HOME_NET 192.168.0.0/24 var EXTERNAL_NET !$HOME_NET var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0 /24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188 .9.0/24] var RULE_PATH /etc/snort/rules preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor stream4: disable_evasion_alerts detect_scans preprocessor stream4_reassemble preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor flow-portscan: \ talker-sliding-scale-factor 0.50 \ talker-fixed-threshold 30 \ talker-sliding-threshold 30 \ talker-sliding-window 20 \ scoreboard-rows-talker 30000 \ server-watchnet $HOME_NET \ server-ignore-limit 200 \ server-rows 65535 \ server-learning-time 14400 \ server-scanner-limit 4 \ scanner-sliding-window 20 \ scanner-sliding-scale-factor 0.50 \ scanner-fixed-threshold 15 \ scanner-sliding-threshold 40 \ scanner-fixed-window 15 \ scoreboard-rows-scanner 30000 \ src-ignore-net $HOME_NET \ dst-ignore-net [10.0.0.0/30] \ alert-mode once \ output-mode msg \ tcp-penalties on output log_tcpdump: snort.log include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/experimental.rules include threshold.conf ... and my /etc/snort.debian.conf is: DEBIAN_SNORT_STARTUP="boot" DEBIAN_SNORT_HOME_NET="192.168.0.0/24" DEBIAN_SNORT_OPTIONS="-O" DEBIAN_SNORT_INTERFACE="eth0" DEBIAN_SNORT_STATS_RCPT="sinnamon" DEBIAN_SNORT_STATS_TRESHOLD="1" ... and my /etc/init.d/snort includes : #!/bin/sh -e test $DEBIAN_SCRIPT_DEBUG && set -v -x DAEMON=/usr/sbin/snort NAME=snort DESC="Network Intrusion Detection System" CONFIG=/etc/snort/snort.debian.conf COMMON=`cat /etc/snort/snort.common.parameters` test -x $DAEMON || exit 0 test -f $CONFIG && . $CONFIG test -z "$DEBIAN_SNORT_HOME_NET" && DEBIAN_SNORT_HOME_NET="192.168.0.0/16" # to find the lib files cd /etc/snort case "$1" in start) if [ "$DEBIAN_SNORT_STARTUP" = "dialup" ]; then shift set +e /etc/ppp/ip-up.d/snort "$@" exit $? fi # Usually, we start all interfaces interfaces="$DEBIAN_SNORT_INTERFACE" # If we are requested to start a specific interface... test "$2" && interfaces="$2" myret=0 got_instance=0 for interface in $interfaces; do got_instance=1 echo -n "Starting $DESC: $NAME($interface)" PIDFILE=/var/run/snort_$interface.pid fail="failed (check /var/log/daemon.log)" /sbin/start-stop-daemon --stop --signal 0 --quiet \ --pidfile "$PIDFILE" --exec $DAEMON >/dev/null && fail="already running" set +e /sbin/start-stop-daemon --start --quiet --pidfile "$PIDFILE" \ --exec $DAEMON -- $COMMON $DEBIAN_SNORT_OPTIONS \ -S "HOME_NET=[$DEBIAN_SNORT_HOME_NET]" \ -i $interface ret=$? set -e case "$ret" in 0) echo "." ;; *) echo "...$fail." myret=$(expr "$myret" + 1) ;; esac done if [ "$got_instance" = 0 ]; then echo "No snort instance found to be started!" >&2 exit 1 fi exit $myret ;; .... ------------------------------------------------------- Any suggestions? TIA James -- James Sinnamon jaymz at bigpond net auStralia +61 412 319669, +61 2 95692123 http://www.australianvisions.com.au/Members/james ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nothing written to logfiles James Sinnamon (Jun 15)
- Re: Nothing written to logfiles Paul Schmehl (Jun 15)
- Re: Nothing written to logfiles James Sinnamon (Jun 15)
- Re: Nothing written to logfiles Paul Schmehl (Jun 15)