Re: snort not capturing

[Mario Remy Almeida <mario.almeida () gmail com>]

Hi Martin,

If I do strace -p <PID of snort>
I can see that it is capturing the data.

Output of strace.

recvfrom(5, "\0\25\27\322\277
\0!^W_p\10\0E\10\5\334d\31@\0@\6f\351\n\4\253\5\n\4"..., 1514,
MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3,
pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514
ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10)    = 0
recvfrom(5, "\0!^W_p\0\25\27\322\277
\10\0E\10\0(\223\36@\0@\6=\230\n\4\253\4\n\4"..., 1514, MSG_TRUNC,
{sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_OUTGOING,
addr(6)={1, 001517d2bf20}, [18]) = 54
ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10)    = 0
recvfrom(5, "\0\25\27\322\277
\0!^W_p\10\0E\10\5\334d\32@\0@\6f\350\n\4\253\5\n\4"..., 1514,
MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3,
pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514
ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10)    = 0
recvfrom(5, "\0\25\27\322\277
\0!^W_p\10\0E\10\5\334d\33@\0@\6f\347\n\4\253\5\n\4"..., 1514,
MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3,
pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514
ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10)    = 0
recvfrom(5, "\0!^W_p\0\25\27\322\277
\10\0E\10\0(\223\37@\0@\6=\227\n\4\253\4\n\4"..., 1514, MSG_TRUNC,
{sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_OUTGOING,
addr(6)={1, 001517d2bf20}, [18]) = 54
ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10)    = 0
recvfrom(5, "\0\25\27\322\277
\0!^W_p\10\0E\10\5\334d\34@\0@\6f\346\n\4\253\5\n\4"..., 1514,
MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3,
pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514
ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10)    = 0
recvfrom(5, "\0\25\27\322\277
\0!^W_p\10\0E\10\5\334d\35@\0@\6f\345\n\4\253\5\n\4"..., 1514,
MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3,
pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514
ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10)    = 0
recvfrom(5, "\0!^W_p\0\25\27\322\277 \10\0E\10\0(\223
@\0@\6=\226\n\4\253\4\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET,
proto=0x800, if3, pkttype=PACKET_OUTGOING, addr(6)={1, 001517d2bf20},
[18]) = 54
ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10)    = 0
recvfrom(5, "\0\25\27\322\277
\0!^W_p\10\0E\10\5\334d\36@\0@\6f\344\n\4\253\5\n\4"..., 1514,
MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3,
pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514
ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10)    = 0
recvfrom(5, "\0\25\27\322\277
\0!^W_p\10\0E\10\5\334d\37@\0@\6f\343\n\4\253\5\n\4"..., 1514,
MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3,
pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514
ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10)    = 0
recvfrom(5, "\0!^W_p\0\25\27\322\277
\10\0E\10\0(\223!@\0@\6=\225\n\4\253\4\n\4"..., 1514, MSG_TRUNC,
{sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_OUTGOING,
addr(6)={1, 001517d2bf20}, [18]) = 54
ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10)    = 0
recvfrom(5, "\0\25\27\322\277 \0!^W_p\10\0E\10\5\334d
@\0@\6f\342\n\4\253\5\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET,
proto=0x800, if3, pkttype=PACKET_HOST, addr(6)={1, 00215e575f70},
[18]) = 1514
ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10)    = 0
recvfrom(5, "\0\25\27\322\277
\0!^W_p\10\0E\10\5\334d!@\0@\6f\341\n\4\253\5\n\4"..., 1514,
MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3,
pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514
ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10)    = 0
recvfrom(5, "\0\25\27\322\277
\0!^W_p\10\0E\10\5\334d\"@\0@\6f\340\n\4\253\5\n\4"..., 1514,
MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3,
pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514
ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10)    = 0




On Thu, Sep 15, 2011 at 4:21 AM, Martin Holste <mcholste () gmail com> wrote:
> The next thing to look at is the stats that are output when you stop
> Snort.  Check to see if it has inspected any packets.
>
> On Wed, Sep 14, 2011 at 4:23 PM, Mario Remy Almeida
> <mario.almeida () gmail com> wrote:
> > Hi Martin,
> >
> > It cannot be permission issue.
> >
> > I had 2.8.5 working fine. It was writing to the log files and also to
> > mysql database.
> > Since I downloaded the 2.8.6.1 rule subscriptions I need to upgrade to 2.8.6.1.
> >
> > when I start snort, file is create as below.
> > -rw------- 1 snort snort 0 Sep 15 01:15 snort.log.1316034925
> >
> > Directory permission:
> > drwxr-xr-x 2 snort  snort      4096 Sep 15 01:15 snort
> >
> > As per above snort user has read and write permission.
> >
> > Not only log file wringing also not logging to mysql database.
> > output database: alert, mysql, user=snort password=snort dbname=snort
> > host=remoteSrvIP encoding=ascii detail=full
> >
> >
> > With Warm Regards,
> > Remy,
> > Linux System Administrator
> > C: 00971508643912
> >
> > "Do not be afraid to try something new...Remember, amateurs built the
> > ark; professionals built the Titanic."
> >
> >
> >
> > On Thu, Sep 15, 2011 at 1:01 AM, Martin Holste <mcholste () gmail com> wrote:
> > > It's probably a permissions issue with /var/log/snort.  Try the exact
> > > same command without -D, and you should get some indication.  You may
> > > also wish to run strace snort ... which should show you if it fails to
> > > open files.
> > >
> > > On Wed, Sep 14, 2011 at 2:06 PM, Mario Remy Almeida
> > > <mario.almeida () gmail com> wrote:
> > > > Dear All,
> > > > I install snort 2.8.6.1 but when I start its not capturing anything.
> > > > snort.log and alert files under /var/log/snort are created but both
> > > > files are empty neither it logs to mysql.
> > > >
> > > > Snort is started with the below command
> > > > /usr/sbin/snort -A fast -b -d -D -I -i eth0 -u snort -g snort -c
> > > > /etc/snort/snort.conf -l /var/log/snort
> > > >
> > > > If i start snort with "-v -i eth0 -u snort -g snort -c
> > > > /etc/snort/snort.conf " parameters then I can see the tcpdump output
> > > > on the terminal.
> > > > can anyone help me?
> > > >
> > > > Rgds,
> > > > Mario
> > > >
> > > > ------------------------------------------------------------------------------
> > > > BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
> > > > Learn about the latest advances in developing for the
> > > > BlackBerry&reg; mobile platform with sessions, labs & more.
> > > > See new tools and technologies. Register for BlackBerry&reg; DevCon today!
> > > > http://p.sf.net/sfu/rim-devcon-copy1
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Doing More with Less: The Next Generation Virtual Desktop 
What are the key obstacles that have prevented many mid-market businesses
from deploying virtual desktops?   How do next-generation virtual desktops
provide companies an easier-to-deploy, easier-to-manage and more affordable
virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!