Re: snort not logging

[Tony Robinson <deusexmachina667 () gmail com>]

Hello Pardeep,

I built a shell script called Autosnort around this install guide that
automates the entire install process. If you want to rebuild from scratch
and run the shell script, you can do that. Here is a link to the script if
you are interested: https://github.com/da667/Autosnort

If you wish to troubleshoot your install, here are some recommendations I
made in a thread yesterday:

1) Where is your sensor deployed? are you giving snort traffic off of a
span or tap? Have you ran /usr/local/snort/bin/snort -i [your sensing
interface] to verify snort is seeing traffic? If you the text "commencing
packet processing" followed by no further messages, either the span/tap
isn't forward traffic to the interface properly, or the interface is set up
properly. I didnt' see anywhere in the install guide where you had to
configure the physical interface for promiscuous mode, but try doing so.
ifconfig [interface name] up promisc and see if you get more traffic/alerts.

2) I'm assuming you've added snort and barnyard to rc.local per the install
guide. Have you ran ps -ef | grep snort to ensure snort and barnyard are
running?

this doesn't really apply. I can see in your e-mail where you verified
snort and barnyard are running.

3) I came to find in my tests that snort report wouldn't give me anything
until the machine was rebooted after configuring everything for one reason
or another. Have you rebooted your system since configuring everything per
the install guide?

4) Can you verify that srconf.php has the snort database user and password
set correctly?

5) Has barnyard2.conf been configured to log to the snort database and
given correct credentials to drop information into the database? Check the
line in barnyard2.conf
 output: log, mysql [user name, password, database name] to verify

6) does the snort user have permissions to do things to the snort database?
test by running: mysql -usnort -p[snort user password, no space between -p
and the actual password] snort -e "show tables;"  if this returns output
the snort user has rights to view data in the snort database.

7) are the unfied2 files growing in size? These files should be located in
/var/log/snort, should have the filename snort.u2.[epoch timestamp here].
Do an ls -al and confirm your snort unified files are not zero bytes in
size. If they are 0 bytes in size this indicates snort hasn't generated any
alerts off of your traffic.

per the output you showed in your e-mail the unified 2 files are 0 bytes in
size. I'm leaning towards this being an issue where the snort sensor isn't
seeing other network traffic (again, try bring up the sensing interface in
promiscuous mode), or there simply isn't that much traffic to alert on.

8) verify what HOME and EXTERNAL_NET are set to in snort.conf. Try setting
both to "any" for testing purposes. Also try using backtrack or a system
running metasploit to attack a system snort has visibility on to generate
an alert or two.

I did this when I was building the script and testing it -- I would run the
script, reboot the system, then run armitage's hail mary against an OWASP
BWA VM and a metasploitable 2 VM and alerts poured in.

I hope this helps,

tony/da667


On Thu, Aug 23, 2012 at 2:43 AM, Pardeep Dhiman
<pardeep_dhiman () hotmail com>wrote:

> Hi Guys****
>
> ** **
>
> I have followed this below guide to install Snort on Ubuntu 12.04. Snort
> is not logging anything into snort.u2.xxxxxx or database. There is no error
> in syslog. I can see it is running but not logs. ****
>
> ** **
>
> If I run like this /usr/local/snort/bin/snort -A console -i eth1 ****
>
> I can see a lot traffic on this interface ****
>
> ** **
>
> ** **
>
> Guide URL: ****
>
> http://www.snort.org/assets/158/snortinstallguide293.pdf****
>
> ** **
>
> ** **
>
> #ls -l  /var/log/snort/****
>
> total 4****
>
> -rw-r--r-- 1 snort snort 2056 Aug 23 16:36 barnyard2.waldo****
>
> -rw------- 1 snort snort    0 Aug 23 15:05 snort.u2.1345698347****
>
> -rw------- 1 snort snort    0 Aug 23 15:14 snort.u2.1345698890****
>
> -rw------- 1 snort snort    0 Aug 23 15:15 snort.u2.1345698954****
>
> -rw------- 1 root  root     0 Aug 23 15:18 snort.u2.1345699083****
>
> -rw------- 1 snort snort    0 Aug 23 15:25 snort.u2.1345699538****
>
> -rw------- 1 snort snort    0 Aug 23 15:55 snort.u2.1345701330****
>
> -rw------- 1 snort snort    0 Aug 23 16:32 snort.u2.1345703561****
>
> -rw------- 1 snort snort    0 Aug 23 16:36 snort.u2.1345703783****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> # ps aux | grep snort****
>
> ** **
>
> snort    11021 14.5  1.3 352020 115260 ?       Rsl  15:55   5:08
> /usr/local/snort/bin/snort -D -u snort -g snort -c
> /usr/local/snort/etc/snort.conf -i eth1****
>
> root     11024  0.0  0.0  21580  7064 ?        Ss   15:55   0:00
> /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G
> /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d
> /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D****
>
> ** **
>
> ** **
>
> tail /var/log/syslog****
>
> ** **
>
> ** **
>
> Aug 23 16:32:41 vcids01 snort[13079]: [ Number of patterns truncated to 20
> bytes: 422 ]****
>
> Aug 23 16:32:41 vcids01 snort[13079]: pcap DAQ configured to passive.****
>
> Aug 23 16:32:41 vcids01 snort[13079]: Acquiring network traffic from
> "eth1".****
>
> Aug 23 16:32:41 vcids01 snort[13079]: Initializing daemon mode****
>
> Aug 23 16:32:41 vcids01 snort[13080]: Daemon initialized, signaled parent
> pid: 13079****
>
> Aug 23 16:32:41 vcids01 snort[13080]: Reload thread starting...****
>
> Aug 23 16:32:41 vcids01 snort[13080]: Reload thread started, thread
> 0xa611fb40 (13080)****
>
> Aug 23 16:32:41 vcids01 kernel: [ 4045.644037] device eth1 entered
> promiscuous mode****
>
> Aug 23 16:32:41 vcids01 snort[13080]: Decoding Ethernet****
>
> Aug 23 16:32:41 vcids01 snort[13080]: Checking PID path...****
>
> Aug 23 16:32:41 vcids01 snort[13080]: PID path stat checked out ok, PID
> path set to /var/run/****
>
> Aug 23 16:32:41 vcids01 snort[13080]: Writing PID "13080" to file
> "/var/run//snort_eth1.pid"****
>
> Aug 23 16:32:41 vcids01 snort[13080]: Set gid to 1001****
>
> Aug 23 16:32:41 vcids01 snort[13080]: Set uid to 1001****
>
> Aug 23 16:32:41 vcids01 snort[13080]:****
>
> Aug 23 16:32:41 vcids01 snort[13080]:         --== Initialization Complete
> ==--****
>
> Aug 23 16:32:41 vcids01 snort[13080]: Commencing packet processing
> (pid=13080)****
>
> Aug 23 16:32:42 vcids01 barnyard2[13082]: Running in Continuous mode****
>
> Aug 23 16:32:42 vcids01 barnyard2[13082]:****
>
> Aug 23 16:32:42 vcids01 barnyard2[13082]:         --== Initializing
> Barnyard2 ==--****
>
> Aug 23 16:32:42 vcids01 barnyard2[13082]: Initializing Input Plugins!****
>
> Aug 23 16:32:42 vcids01 barnyard2[13082]: Initializing Output Plugins!****
>
> Aug 23 16:32:42 vcids01 barnyard2[13082]: Parsing config file
> "/usr/local/snort/etc/barnyard2.conf"****
>
> Aug 23 16:32:43 vcids01 barnyard2[13082]: Log directory =
> /var/log/barnyard2****
>
> Aug 23 16:32:43 vcids01 barnyard2[13082]: Initializing daemon mode****
>
> Aug 23 16:32:43 vcids01 barnyard2[13082]: Daemon parent exiting****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: Daemon initialized, signaled
> parent pid: 13082****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: PID path stat checked out ok,
> PID path set to /var/run/****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: Writing PID "13083" to file
> "/var/run//barnyard2_eth1.pid"****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: Last event seen for sid 1 was 0*
> ***
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: database: compiled support for
> (mysql)****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: database: configured to use mysql
> ****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: database: schema version = 107**
> **
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: database:           host =
> localhost****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: database:           user = snort
> ****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: database:  database name = snort
> ****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: database:    sensor name =
> localhost:eth1****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: database:      sensor id = 1****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: database:     sensor cid = 1****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: database:  data encoding = hex**
> **
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: database:   detail level = full*
> ***
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: database:     ignore_bpf = no***
> *
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: database: using the "log"
> facility****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]:****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]:         --== Initialization
> Complete ==--****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: Barnyard2 initialization
> completed successfully (pid=13083)****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: Using waldo file
> '/var/log/snort/barnyard2.waldo':#012    spool directory =
> /var/log/snort#012    spool filebase  = snort.u2#012    time_stamp      =
> 1345701330#012    record_idx      = 0****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: Opened spool file
> '/var/log/snort/snort.u2.1345701330'****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: Closing spool file
> '/var/log/snort/snort.u2.1345701330'. Read 0 records****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: Opened spool file
> '/var/log/snort/snort.u2.1345703561'****
>
> Aug 23 16:32:43 vcids01 barnyard2[13083]: Waiting for new data****
>
> ** **
>
> ** **
>
> ** **
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!