Snort mailing list archives
Re: snort not logging
From: Tony Robinson <deusexmachina667 () gmail com>
Date: Fri, 24 Aug 2012 14:05:19 -0400
Hello Pardeep, I built a shell script called Autosnort around this install guide that automates the entire install process. If you want to rebuild from scratch and run the shell script, you can do that. Here is a link to the script if you are interested: https://github.com/da667/Autosnort If you wish to troubleshoot your install, here are some recommendations I made in a thread yesterday: 1) Where is your sensor deployed? are you giving snort traffic off of a span or tap? Have you ran /usr/local/snort/bin/snort -i [your sensing interface] to verify snort is seeing traffic? If you the text "commencing packet processing" followed by no further messages, either the span/tap isn't forward traffic to the interface properly, or the interface is set up properly. I didnt' see anywhere in the install guide where you had to configure the physical interface for promiscuous mode, but try doing so. ifconfig [interface name] up promisc and see if you get more traffic/alerts. 2) I'm assuming you've added snort and barnyard to rc.local per the install guide. Have you ran ps -ef | grep snort to ensure snort and barnyard are running? this doesn't really apply. I can see in your e-mail where you verified snort and barnyard are running. 3) I came to find in my tests that snort report wouldn't give me anything until the machine was rebooted after configuring everything for one reason or another. Have you rebooted your system since configuring everything per the install guide? 4) Can you verify that srconf.php has the snort database user and password set correctly? 5) Has barnyard2.conf been configured to log to the snort database and given correct credentials to drop information into the database? Check the line in barnyard2.conf output: log, mysql [user name, password, database name] to verify 6) does the snort user have permissions to do things to the snort database? test by running: mysql -usnort -p[snort user password, no space between -p and the actual password] snort -e "show tables;" if this returns output the snort user has rights to view data in the snort database. 7) are the unfied2 files growing in size? These files should be located in /var/log/snort, should have the filename snort.u2.[epoch timestamp here]. Do an ls -al and confirm your snort unified files are not zero bytes in size. If they are 0 bytes in size this indicates snort hasn't generated any alerts off of your traffic. per the output you showed in your e-mail the unified 2 files are 0 bytes in size. I'm leaning towards this being an issue where the snort sensor isn't seeing other network traffic (again, try bring up the sensing interface in promiscuous mode), or there simply isn't that much traffic to alert on. 8) verify what HOME and EXTERNAL_NET are set to in snort.conf. Try setting both to "any" for testing purposes. Also try using backtrack or a system running metasploit to attack a system snort has visibility on to generate an alert or two. I did this when I was building the script and testing it -- I would run the script, reboot the system, then run armitage's hail mary against an OWASP BWA VM and a metasploitable 2 VM and alerts poured in. I hope this helps, tony/da667 On Thu, Aug 23, 2012 at 2:43 AM, Pardeep Dhiman <pardeep_dhiman () hotmail com>wrote:
Hi Guys**** ** ** I have followed this below guide to install Snort on Ubuntu 12.04. Snort is not logging anything into snort.u2.xxxxxx or database. There is no error in syslog. I can see it is running but not logs. **** ** ** If I run like this /usr/local/snort/bin/snort -A console -i eth1 **** I can see a lot traffic on this interface **** ** ** ** ** Guide URL: **** http://www.snort.org/assets/158/snortinstallguide293.pdf**** ** ** ** ** #ls -l /var/log/snort/**** total 4**** -rw-r--r-- 1 snort snort 2056 Aug 23 16:36 barnyard2.waldo**** -rw------- 1 snort snort 0 Aug 23 15:05 snort.u2.1345698347**** -rw------- 1 snort snort 0 Aug 23 15:14 snort.u2.1345698890**** -rw------- 1 snort snort 0 Aug 23 15:15 snort.u2.1345698954**** -rw------- 1 root root 0 Aug 23 15:18 snort.u2.1345699083**** -rw------- 1 snort snort 0 Aug 23 15:25 snort.u2.1345699538**** -rw------- 1 snort snort 0 Aug 23 15:55 snort.u2.1345701330**** -rw------- 1 snort snort 0 Aug 23 16:32 snort.u2.1345703561**** -rw------- 1 snort snort 0 Aug 23 16:36 snort.u2.1345703783**** ** ** ** ** ** ** ** ** ** ** # ps aux | grep snort**** ** ** snort 11021 14.5 1.3 352020 115260 ? Rsl 15:55 5:08 /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1**** root 11024 0.0 0.0 21580 7064 ? Ss 15:55 0:00 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D**** ** ** ** ** tail /var/log/syslog**** ** ** ** ** Aug 23 16:32:41 vcids01 snort[13079]: [ Number of patterns truncated to 20 bytes: 422 ]**** Aug 23 16:32:41 vcids01 snort[13079]: pcap DAQ configured to passive.**** Aug 23 16:32:41 vcids01 snort[13079]: Acquiring network traffic from "eth1".**** Aug 23 16:32:41 vcids01 snort[13079]: Initializing daemon mode**** Aug 23 16:32:41 vcids01 snort[13080]: Daemon initialized, signaled parent pid: 13079**** Aug 23 16:32:41 vcids01 snort[13080]: Reload thread starting...**** Aug 23 16:32:41 vcids01 snort[13080]: Reload thread started, thread 0xa611fb40 (13080)**** Aug 23 16:32:41 vcids01 kernel: [ 4045.644037] device eth1 entered promiscuous mode**** Aug 23 16:32:41 vcids01 snort[13080]: Decoding Ethernet**** Aug 23 16:32:41 vcids01 snort[13080]: Checking PID path...**** Aug 23 16:32:41 vcids01 snort[13080]: PID path stat checked out ok, PID path set to /var/run/**** Aug 23 16:32:41 vcids01 snort[13080]: Writing PID "13080" to file "/var/run//snort_eth1.pid"**** Aug 23 16:32:41 vcids01 snort[13080]: Set gid to 1001**** Aug 23 16:32:41 vcids01 snort[13080]: Set uid to 1001**** Aug 23 16:32:41 vcids01 snort[13080]:**** Aug 23 16:32:41 vcids01 snort[13080]: --== Initialization Complete ==--**** Aug 23 16:32:41 vcids01 snort[13080]: Commencing packet processing (pid=13080)**** Aug 23 16:32:42 vcids01 barnyard2[13082]: Running in Continuous mode**** Aug 23 16:32:42 vcids01 barnyard2[13082]:**** Aug 23 16:32:42 vcids01 barnyard2[13082]: --== Initializing Barnyard2 ==--**** Aug 23 16:32:42 vcids01 barnyard2[13082]: Initializing Input Plugins!**** Aug 23 16:32:42 vcids01 barnyard2[13082]: Initializing Output Plugins!**** Aug 23 16:32:42 vcids01 barnyard2[13082]: Parsing config file "/usr/local/snort/etc/barnyard2.conf"**** Aug 23 16:32:43 vcids01 barnyard2[13082]: Log directory = /var/log/barnyard2**** Aug 23 16:32:43 vcids01 barnyard2[13082]: Initializing daemon mode**** Aug 23 16:32:43 vcids01 barnyard2[13082]: Daemon parent exiting**** Aug 23 16:32:43 vcids01 barnyard2[13083]: Daemon initialized, signaled parent pid: 13082**** Aug 23 16:32:43 vcids01 barnyard2[13083]: PID path stat checked out ok, PID path set to /var/run/**** Aug 23 16:32:43 vcids01 barnyard2[13083]: Writing PID "13083" to file "/var/run//barnyard2_eth1.pid"**** Aug 23 16:32:43 vcids01 barnyard2[13083]: Last event seen for sid 1 was 0* *** Aug 23 16:32:43 vcids01 barnyard2[13083]: database: compiled support for (mysql)**** Aug 23 16:32:43 vcids01 barnyard2[13083]: database: configured to use mysql **** Aug 23 16:32:43 vcids01 barnyard2[13083]: database: schema version = 107** ** Aug 23 16:32:43 vcids01 barnyard2[13083]: database: host = localhost**** Aug 23 16:32:43 vcids01 barnyard2[13083]: database: user = snort **** Aug 23 16:32:43 vcids01 barnyard2[13083]: database: database name = snort **** Aug 23 16:32:43 vcids01 barnyard2[13083]: database: sensor name = localhost:eth1**** Aug 23 16:32:43 vcids01 barnyard2[13083]: database: sensor id = 1**** Aug 23 16:32:43 vcids01 barnyard2[13083]: database: sensor cid = 1**** Aug 23 16:32:43 vcids01 barnyard2[13083]: database: data encoding = hex** ** Aug 23 16:32:43 vcids01 barnyard2[13083]: database: detail level = full* *** Aug 23 16:32:43 vcids01 barnyard2[13083]: database: ignore_bpf = no*** * Aug 23 16:32:43 vcids01 barnyard2[13083]: database: using the "log" facility**** Aug 23 16:32:43 vcids01 barnyard2[13083]:**** Aug 23 16:32:43 vcids01 barnyard2[13083]: --== Initialization Complete ==--**** Aug 23 16:32:43 vcids01 barnyard2[13083]: Barnyard2 initialization completed successfully (pid=13083)**** Aug 23 16:32:43 vcids01 barnyard2[13083]: Using waldo file '/var/log/snort/barnyard2.waldo':#012 spool directory = /var/log/snort#012 spool filebase = snort.u2#012 time_stamp = 1345701330#012 record_idx = 0**** Aug 23 16:32:43 vcids01 barnyard2[13083]: Opened spool file '/var/log/snort/snort.u2.1345701330'**** Aug 23 16:32:43 vcids01 barnyard2[13083]: Closing spool file '/var/log/snort/snort.u2.1345701330'. Read 0 records**** Aug 23 16:32:43 vcids01 barnyard2[13083]: Opened spool file '/var/log/snort/snort.u2.1345703561'**** Aug 23 16:32:43 vcids01 barnyard2[13083]: Waiting for new data**** ** ** ** ** ** ** ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- when does reality end? when does fantasy begin?
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort not logging Pardeep Dhiman (Aug 24)
- Re: snort not logging Tony Robinson (Aug 24)