Re: Fw: snort not reporting

[Ben van der Merwe <benm () pasco co za>]

Allan,

I experienced the same problem when I first tried snort (with rules),
but my project only focused on binary logging so I did not get the
opportunity to fix it. That may be a good idea - try out the binary
logging (I think there is a '-A' option then) and make sure that the
traffic is logged to a binary file. You can then inspect the traffic
with tools like 'ethereal', 'etherape' and 'tcpdump'. At least you can
narrow down the problem area in this way.

I also recently read the frequently asked questions at
http://www.snort.org/docs/FAQ.txt  Also check for relevant documentation
at http://www.snort.org/docs/ (there is good documentation on the ids
related aspects)

Maybe you can help me. I do not know how to reply to your message on the
mailing list other than to reply to you directly. Should I cc the
mailing list as I did?

Thanks
Ben van der Merwe

On Mon, 2004-12-13 at 18:12, Allan Jensen wrote:
> Rules are in the right place. No alerts because of
> good traffic sounds "to good" to be true. I also tried
> running snort while letting
> http://scan.sygatetech.com/ scan my computer leaving
> the firewall open.
>
> Is there any way (test) to get snort to react?
>
> Allan Jensen
>
> --- Ben van der Merwe <benm () pasco co za> wrote:
>
> > The other thing to check is that your rules are
> > located in the appropriate directory (as specified
> > in the configuration file).
> > It is also possible that there are no alerts
> > (because there is little traffic) or that the
> > traffic is 'good' and does not trigger any alerts.
> > ben
> >
> > ----- Original Message ----- 
> > From: Ben van der Merwe 
> > To: Allan Jensen 
> > Sent: Monday, December 13, 2004 12:50 PM
> > Subject: Re: [Snort-users] snort not reporting
> >
> >
> > Allan, I suppose you have checked in
> > /var/log/snort/ppp0 for any results.
> > Normally snort displays an error message and exits
> > if something is wrong. 
> > If you do a 'pgrep snort' and snort is running it
> > must be something else.
> > ben
> >   ----- Original Message ----- 
> >   From: Allan Jensen 
> >   To: snort-users () lists sourceforge net 
> >   Sent: Monday, December 13, 2004 11:49 AM
> >   Subject: [Snort-users] snort not reporting
> >
> >
> >   I installed snort 2.2.0 on Mac OS X 10.3.6
> > together with ACID 0.9.6b23. Everything went fine.
> > When I start snort:
> >
> >   sudo snort -dvi -c /etc/snort/snort.conf
> >
> >   I get the following:
> >
> >   Running in IDS mode
> >   Log directory = /var/log/snort
> >
> >   Initializing Network Interface ppp0
> >
> >   --== Initializing Snort ==--
> >   Initializing Output Plugins!
> >   Decoding PPP on interface ppp0
> >   Initializing Preprocessors!
> >   Initializing Plug-ins!
> >   Parsing Rules file /etc/snort/snort.conf
> >
> >  
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> >   Initializing rule chains...
> >   ,-----------[Flow Config]----------------------
> >   | Stats Interval: 0
> >   | Hash Method: 2
> >   | Memcap: 10485760
> >   | Rows : 4099
> >   | Overhead Bytes: 16400(%0.16)
> >   `----------------------------------------------
> >   No arguments to frag2 directive, setting defaults
> > to:
> >   Fragment timeout: 60 seconds
> >   Fragment memory cap: 4194304 bytes
> >   Fragment min_ttl: 0
> >   Fragment ttl_limit: 5
> >   Fragment Problems: 0
> >   Self preservation threshold: 500
> >   Self preservation period: 90
> >   Suspend threshold: 1000
> >   Suspend period: 30
> >   Stream4 config:
> >   Stateful inspection: ACTIVE
> >   Session statistics: INACTIVE
> >   Session timeout: 30 seconds
> >   Session memory cap: 8388608 bytes
> >   State alerts: INACTIVE
> >   Evasion alerts: INACTIVE
> >   Scan alerts: INACTIVE
> >   Log Flushed Streams: INACTIVE
> >   MinTTL: 1
> >   TTL Limit: 5
> >   Async Link: 0
> >   State Protection: 0
> >   Self preservation threshold: 50
> >   Self preservation period: 90
> >   Suspend threshold: 200
> >   Suspend period: 30
> >   Stream4_reassemble config:
> >   Server reassembly: INACTIVE
> >   Client reassembly: ACTIVE
> >   Reassembler alerts: ACTIVE
> >   Zero out flushed packets: INACTIVE
> >   flush_data_diff_size: 500
> >   Ports: 21 23 25 53 80 110 111 143 513 1433
> >   Emergency Ports: 21 23 25 53 80 110 111 143 513
> > 1433
> >   HttpInspect Config:
> >   GLOBAL CONFIG
> >   Max Pipeline Requests: 0
> >   Inspection Type: STATELESS
> >   Detect Proxy Usage: NO
> >   IIS Unicode Map Filename: /etc/snort/unicode.map
> >   IIS Unicode Map Codepage: 1252
> >   DEFAULT SERVER CONFIG:
> >   Ports: 80 8080 8180
> >   Flow Depth: 300
> >   Max Chunk Length: 500000
> >   Inspect Pipeline Requests: YES
> >   URI Discovery Strict Mode: NO
> >   Allow Proxy Usage: NO
> >   Disable Alerting: NO
> >   Oversize Dir Length: 500
> >   Only inspect URI: NO
> >   Ascii: YES alert: NO
> >   Double Decoding: YES alert: YES
> >   %U Encoding: YES alert: YES
> >   Bare Byte: YES alert: YES
> >   Base36: OFF
> >   UTF 8: OFF
> >   IIS Unicode: YES alert: YES
> >   Multiple Slash: YES alert: NO
> >   IIS Backslash: YES alert: NO
> >   Directory Traversal: YES alert: NO
> >   Web Root Traversal: YES alert: YES
> >   Apache WhiteSpace: YES alert: YES
> >   IIS Delimiter: YES alert: YES
> >   IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
> >   Non-RFC Compliant Characters: NONE
> >   rpc_decode arguments:
> >   Ports to decode RPC on: 111 32771
> >   alert_fragments: INACTIVE
> >   alert_large_fragments: ACTIVE
> >   alert_incomplete: ACTIVE
> >   alert_multiple_requests: ACTIVE
> >   telnet_decode arguments:
> >   Ports to decode telnet on: 21 23 25 119
> >   database: compiled support for ( mysql )
> >   database: configured to use mysql
> >   database: user = root
> >   database: password is set
> >   database: database name = snort
> >   database: host = localhost
> >   Node unique name is: 80.134.161.187
> >   database: sensor name = 80.134.161.187
> >   database: sensor id = 6
> >   database: schema version = 106
> >   database: using the "alert" facility
> >   2180 Snort rules read...
> >   2180 Option Chains linked into 176 Chain Headers
> >   0 Dynamic rules
> >  
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> >   Warning: flowbits key 'realplayer.playlist' is
> > checked but not ever set.
> >
> >  
> +-----------------------[thresholding-config]----------------------------------
> >   | memory-cap : 1048576 bytes
> >  
> +-----------------------[thresholding-global]----------------------------------
> >   | none
> >  
> +-----------------------[thresholding-local]-----------------------------------
> >   | gen-id=1 sig-id=2275 type=Threshold tracking=dst
> > count=5 seconds=60
> >   | gen-id=1 sig-id=2924 type=Threshold tracking=src
> > count=10 seconds=60
> >   | gen-id=1 sig-id=2923 type=Threshold tracking=src
> > count=10 seconds=60
> >   | gen-id=1 sig-id=2523 type=Both tracking=dst
> > count=10 seconds=10
> >   | gen-id=1 sig-id=2496 type=Both tracking=dst
> > count=20 seconds=60
> >   | gen-id=1 sig-id=2494 type=Both tracking=dst
> > count=20 seconds=60
> >   | gen-id=1 sig-id=2495 type=Both tracking=dst
> > count=20 seconds=60
> >  
> +-----------------------[suppression]------------------------------------------
> >  
> -------------------------------------------------------------------------------
> >   Rule application order:
> > ->activation->dynamic->alert->pass->log
> >
> >   --== Initialization Complete ==--
> >
> >   -*> Snort! <*-
> >   Version 2.2.0 (Build 30)
> >   By Martin Roesch (roesch () sourcefire com,
> > www.snort.org)
> >
> >   However after a while when I control-c :
> >
> >   ^C
> >
> >  
> ===============================================================================
> >   Snort received 8244 packets
> >   Analyzed: 8244(100.000%)
> >   Dropped: 0(0.000%)
> >  
> ===============================================================================
> >   Breakdown by protocol:
> >   TCP: 0 (0.000%)
> >   UDP: 0 (0.000%)
> >   ICMP: 0 (0.000%)
> >   ARP: 0 (0.000%)
> >   EAPOL: 0 (0.000%)
> >   IPv6: 0 (0.000%)
> >   IPX: 0 (0.000%)
> >   OTHER: 0 (0.000%)
> >   DISCARD: 0 (0.000%)
> >  
> ===============================================================================
> >   Action Stats:
> >   ALERTS: 0
> >   LOGGED: 0
> >   PASSED: 0
> >  
> ===============================================================================
> >   Final Flow Statistics
> >   ,----[ FLOWCACHE STATS ]----------
> >   Memcap: 10485760 Overhead Bytes 16400
> > used(%0.156403)/blocks (16400/1) Overhead blocks: 1
> > Could Hold: (0)
> >   IPV4 count: 0 frees: 0 low_time: 0, high_time: 0,
> > diff: 0h:00:00s
> >   finds: 0 reversed: 0(%0.000000)
> >   find_sucess: 0 find_fail: 0 percent_success:
> > (%0.000000) new_flows: 0
> >   database: Closing connection to database "p"
> >   Snort exiting
> >
> >   Nothing gets reported. I have configured
> > snort.conf like this:
> >
> >   var HOME_NET any
> >   and
> >   var EXTERNAL_NET any
> >   and
> >   output database: alert, mysql, user=root
> > password=<mypassword> dbname=snort host=localhost
> >
> >   Can anyone help?
> >
> >   Thanks,
> >   Allan
>
>
>               
> __________________________________ 
> Do you Yahoo!? 
> Send a seasonal email greeting and help others. Do good. 
> http://celebrity.mail.yahoo.com



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users