Snort mailing list archives
Re: Log problems
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Tue, 27 Nov 2012 11:23:08 -0600
Here's how snort works when coupled with barnyard2 and mysql. Snort listens on a NIC and, when an alert is triggered, writes to a unified2 log file. So, step 1 in troubleshooting is to verify that the NIC is in promiscuous mode. In general, if you run ifconfig, it should look like this for one of the NICs on the host: bce1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 PROMISC means promiscuous mode. Step 2 is to verify that the NIC is seeing traffic. This can be done easily by running tcpdump like this: tcpdump -i bce1 (on most Linux boxes it will be eth0 or eth1) If you see traffic, you need to move on to verifying that snort is working. Start snort in console mode with the Test switch - snort -T -c /path/to/snort/confile If there are any errors, they are usually self-explanatory. E.g. ipvar not found, missing semi-colon on line 129 of snort.rulefile, etc. Fix all those errors until snort runs without errors. If it's working correctly, you should see this at the end: Snort successfully validated the configuration! Snort exiting Once you have verified that 1) the NIC is listening and 2) the NIC sees traffic and 3) snort runs without errors using your conf file, the only thing left is the rules files you're using. Remember, snort is an IDS. It's designed to look for specific signatures. If none are seen, there will be no alerts. If you want to verify that snort will actually alert on something, then write a simple test rule: alert tcp any any -> any any (msg:"Testing"; rev:1; sid:1;). This will alert for ALL traffic, so if there's any traffic at all and snort is working properly, your logfile will grow quite large very quickly. --On November 26, 2012 11:10:43 AM -0700 honeybadger () q com wrote:
I have been trying to figure out log problems.... Since then you all are saying that BY2 was a red herring I am trying to find what is the problem in the snort.config file with no success. It looks like snort is starting ok, pulled pork is checking rules and it says it is running. But no output in /var/log. Any ideas all?
-- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Log problems honeybadger (Nov 27)
- Re: Log problems waldo kitty (Nov 27)
- Re: Log problems Paul Schmehl (Nov 27)
- Re: Log problems honeybadger (Nov 27)
- Re: Log problems Ron Sinclair (Nov 27)
- Re: Log problems honeybadger (Nov 28)
- Re: Log problems waldo kitty (Nov 28)
- Re: Log problems honeybadger (Nov 28)
- Re: Log problems JJC (Nov 28)
- Re: Log problems Jeremy Hoel (Nov 28)
- Re: Log problems honeybadger (Nov 27)