Snort mailing list archives
Re: Fw: snort not reporting
From: Ben van der Merwe <benm () pasco co za>
Date: Tue, 14 Dec 2004 07:37:27 +0200
Allan, I experienced the same problem when I first tried snort (with rules), but my project only focused on binary logging so I did not get the opportunity to fix it. That may be a good idea - try out the binary logging (I think there is a '-A' option then) and make sure that the traffic is logged to a binary file. You can then inspect the traffic with tools like 'ethereal', 'etherape' and 'tcpdump'. At least you can narrow down the problem area in this way. I also recently read the frequently asked questions at http://www.snort.org/docs/FAQ.txt Also check for relevant documentation at http://www.snort.org/docs/ (there is good documentation on the ids related aspects) Maybe you can help me. I do not know how to reply to your message on the mailing list other than to reply to you directly. Should I cc the mailing list as I did? Thanks Ben van der Merwe On Mon, 2004-12-13 at 18:12, Allan Jensen wrote:
Rules are in the right place. No alerts because of good traffic sounds "to good" to be true. I also tried running snort while letting http://scan.sygatetech.com/ scan my computer leaving the firewall open. Is there any way (test) to get snort to react? Allan Jensen --- Ben van der Merwe <benm () pasco co za> wrote:The other thing to check is that your rules are located in the appropriate directory (as specified in the configuration file). It is also possible that there are no alerts (because there is little traffic) or that the traffic is 'good' and does not trigger any alerts. ben ----- Original Message ----- From: Ben van der Merwe To: Allan Jensen Sent: Monday, December 13, 2004 12:50 PM Subject: Re: [Snort-users] snort not reporting Allan, I suppose you have checked in /var/log/snort/ppp0 for any results. Normally snort displays an error message and exits if something is wrong. If you do a 'pgrep snort' and snort is running it must be something else. ben ----- Original Message ----- From: Allan Jensen To: snort-users () lists sourceforge net Sent: Monday, December 13, 2004 11:49 AM Subject: [Snort-users] snort not reporting I installed snort 2.2.0 on Mac OS X 10.3.6 together with ACID 0.9.6b23. Everything went fine. When I start snort: sudo snort -dvi -c /etc/snort/snort.conf I get the following: Running in IDS mode Log directory = /var/log/snort Initializing Network Interface ppp0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding PPP on interface ppp0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 database: compiled support for ( mysql ) database: configured to use mysql database: user = root database: password is set database: database name = snort database: host = localhost Node unique name is: 80.134.161.187 database: sensor name = 80.134.161.187 database: sensor id = 6 database: schema version = 106 database: using the "alert" facility 2180 Snort rules read... 2180 Option Chains linked into 176 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Warning: flowbits key 'realplayer.playlist' is checked but not ever set.+-----------------------[thresholding-config]----------------------------------| memory-cap : 1048576 bytes+-----------------------[thresholding-global]----------------------------------| none+-----------------------[thresholding-local]-----------------------------------| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 | gen-id=1 sig-id=2924 type=Threshold tracking=src count=10 seconds=60 | gen-id=1 sig-id=2923 type=Threshold tracking=src count=10 seconds=60 | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 | gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60+-----------------------[suppression]-------------------------------------------------------------------------------------------------------------------------Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.2.0 (Build 30) By Martin Roesch (roesch () sourcefire com, www.snort.org) However after a while when I control-c : ^C===============================================================================Snort received 8244 packets Analyzed: 8244(100.000%) Dropped: 0(0.000%)===============================================================================Breakdown by protocol: TCP: 0 (0.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%)===============================================================================Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0===============================================================================Final Flow Statistics ,----[ FLOWCACHE STATS ]---------- Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1) Overhead blocks: 1 Could Hold: (0) IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff: 0h:00:00s finds: 0 reversed: 0(%0.000000) find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 0 database: Closing connection to database "p" Snort exiting Nothing gets reported. I have configured snort.conf like this: var HOME_NET any and var EXTERNAL_NET any and output database: alert, mysql, user=root password=<mypassword> dbname=snort host=localhost Can anyone help? Thanks, Allan__________________________________ Do you Yahoo!? Send a seasonal email greeting and help others. Do good. http://celebrity.mail.yahoo.com
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort not reporting Allan Jensen (Dec 12)
- <Possible follow-ups>
- snort not reporting Allan Jensen (Dec 13)
- RE: snort not reporting Patrick S. Harper (Dec 13)
- RE: snort not reporting Allan Jensen (Dec 13)
- Re: snort not reporting Kevin Johnson (Dec 13)
- Re: snort not reporting Allan Jensen (Dec 13)
- RE: snort not reporting Patrick S. Harper (Dec 13)
- Re: Fw: snort not reporting Ben van der Merwe (Dec 13)
- Re: Fw: snort not reporting Allan Jensen (Dec 14)
- Re: Fw: snort not reporting Ben van der Merwe (Dec 14)
- Re: Fw: snort not reporting Ben van der Merwe (Dec 14)
- Re: Fw: snort not reporting Allan Jensen (Dec 14)