Snort mailing list archives
Re: snort not capturing
From: Mario Remy Almeida <mario.almeida () gmail com>
Date: Thu, 15 Sep 2011 18:58:45 +0400
Hi Martin, Thanks a lot for you support. I manage to solve by changing var HOME_NET 10.4.171/24 to var HOME_NET any On Thu, Sep 15, 2011 at 4:45 PM, Martin Holste <mcholste () gmail com> wrote:
And the stats output when Snort is finished? On Wed, Sep 14, 2011 at 11:23 PM, Mario Remy Almeida <mario.almeida () gmail com> wrote:Hi Martin, If I do strace -p <PID of snort> I can see that it is capturing the data. Output of strace. recvfrom(5, "\0\25\27\322\277 \0!^W_p\10\0E\10\5\334d\31@\0@\6f\351\n\4\253\5\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514 ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10) = 0 recvfrom(5, "\0!^W_p\0\25\27\322\277 \10\0E\10\0(\223\36@\0@\6=\230\n\4\253\4\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_OUTGOING, addr(6)={1, 001517d2bf20}, [18]) = 54 ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10) = 0 recvfrom(5, "\0\25\27\322\277 \0!^W_p\10\0E\10\5\334d\32@\0@\6f\350\n\4\253\5\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514 ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10) = 0 recvfrom(5, "\0\25\27\322\277 \0!^W_p\10\0E\10\5\334d\33@\0@\6f\347\n\4\253\5\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514 ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10) = 0 recvfrom(5, "\0!^W_p\0\25\27\322\277 \10\0E\10\0(\223\37@\0@\6=\227\n\4\253\4\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_OUTGOING, addr(6)={1, 001517d2bf20}, [18]) = 54 ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10) = 0 recvfrom(5, "\0\25\27\322\277 \0!^W_p\10\0E\10\5\334d\34@\0@\6f\346\n\4\253\5\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514 ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10) = 0 recvfrom(5, "\0\25\27\322\277 \0!^W_p\10\0E\10\5\334d\35@\0@\6f\345\n\4\253\5\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514 ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10) = 0 recvfrom(5, "\0!^W_p\0\25\27\322\277 \10\0E\10\0(\223 @\0@\6=\226\n\4\253\4\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_OUTGOING, addr(6)={1, 001517d2bf20}, [18]) = 54 ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10) = 0 recvfrom(5, "\0\25\27\322\277 \0!^W_p\10\0E\10\5\334d\36@\0@\6f\344\n\4\253\5\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514 ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10) = 0 recvfrom(5, "\0\25\27\322\277 \0!^W_p\10\0E\10\5\334d\37@\0@\6f\343\n\4\253\5\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514 ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10) = 0 recvfrom(5, "\0!^W_p\0\25\27\322\277 \10\0E\10\0(\223!@\0@\6=\225\n\4\253\4\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_OUTGOING, addr(6)={1, 001517d2bf20}, [18]) = 54 ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10) = 0 recvfrom(5, "\0\25\27\322\277 \0!^W_p\10\0E\10\5\334d @\0@\6f\342\n\4\253\5\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514 ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10) = 0 recvfrom(5, "\0\25\27\322\277 \0!^W_p\10\0E\10\5\334d!@\0@\6f\341\n\4\253\5\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514 ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10) = 0 recvfrom(5, "\0\25\27\322\277 \0!^W_p\10\0E\10\5\334d\"@\0@\6f\340\n\4\253\5\n\4"..., 1514, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if3, pkttype=PACKET_HOST, addr(6)={1, 00215e575f70}, [18]) = 1514 ioctl(5, SIOCGSTAMP, 0x7fffda3e6f10) = 0 On Thu, Sep 15, 2011 at 4:21 AM, Martin Holste <mcholste () gmail com> wrote:The next thing to look at is the stats that are output when you stop Snort. Check to see if it has inspected any packets. On Wed, Sep 14, 2011 at 4:23 PM, Mario Remy Almeida <mario.almeida () gmail com> wrote:Hi Martin, It cannot be permission issue. I had 2.8.5 working fine. It was writing to the log files and also to mysql database. Since I downloaded the 2.8.6.1 rule subscriptions I need to upgrade to 2.8.6.1. when I start snort, file is create as below. -rw------- 1 snort snort 0 Sep 15 01:15 snort.log.1316034925 Directory permission: drwxr-xr-x 2 snort snort 4096 Sep 15 01:15 snort As per above snort user has read and write permission. Not only log file wringing also not logging to mysql database. output database: alert, mysql, user=snort password=snort dbname=snort host=remoteSrvIP encoding=ascii detail=full With Warm Regards, Remy, Linux System Administrator C: 00971508643912 "Do not be afraid to try something new...Remember, amateurs built the ark; professionals built the Titanic." On Thu, Sep 15, 2011 at 1:01 AM, Martin Holste <mcholste () gmail com> wrote:It's probably a permissions issue with /var/log/snort. Try the exact same command without -D, and you should get some indication. You may also wish to run strace snort ... which should show you if it fails to open files. On Wed, Sep 14, 2011 at 2:06 PM, Mario Remy Almeida <mario.almeida () gmail com> wrote:Dear All, I install snort 2.8.6.1 but when I start its not capturing anything. snort.log and alert files under /var/log/snort are created but both files are empty neither it logs to mysql. Snort is started with the below command /usr/sbin/snort -A fast -b -d -D -I -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort If i start snort with "-v -i eth0 -u snort -g snort -c /etc/snort/snort.conf " parameters then I can see the tcpdump output on the terminal. can anyone help me? Rgds, Mario ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort not capturing Mario Remy Almeida (Sep 14)
- Re: snort not capturing Martin Holste (Sep 14)
- Re: snort not capturing Mario Remy Almeida (Sep 14)
- Re: snort not capturing Martin Holste (Sep 14)
- Re: snort not capturing Mario Remy Almeida (Sep 14)
- Re: snort not capturing Martin Holste (Sep 15)
- Re: snort not capturing Mario Remy Almeida (Sep 15)
- Re: snort not capturing Jason Wallace (Sep 15)
- Re: snort not capturing Mario Remy Almeida (Sep 15)
- Re: snort not capturing waldo kitty (Sep 15)
- Re: snort not capturing Mario Remy Almeida (Sep 14)
- Re: snort not capturing Martin Holste (Sep 14)