Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Log problems

From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Tue, 27 Nov 2012 11:23:08 -0600
Here's how snort works when coupled with barnyard2 and mysql.

Snort listens on a NIC and, when an alert is triggered, writes to a 
unified2 log file.

So, step 1 in troubleshooting is to verify that the NIC is in promiscuous 
mode.  In general, if you run ifconfig, it should look like this for one of 
the NICs on the host:
bce1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 
mtu 1500

PROMISC means promiscuous mode.

Step 2 is to verify that the NIC is seeing traffic.  This can be done 
easily by running tcpdump like this: tcpdump -i bce1 (on most Linux boxes 
it will be eth0 or eth1)

If you see traffic, you need to move on to verifying that snort is working.

Start snort in console mode with the Test switch - snort -T -c 
/path/to/snort/confile

If there are any errors, they are usually self-explanatory.  E.g. ipvar not 
found, missing semi-colon on line 129 of snort.rulefile, etc.

Fix all those errors until snort runs without errors.  If it's working 
correctly, you should see this at the end:

Snort successfully validated the configuration!
Snort exiting

Once you have verified that 1) the NIC is listening and 2) the NIC sees 
traffic and 3) snort runs without errors using your conf file, the only 
thing left is the rules files you're using.

Remember, snort is an IDS.  It's designed to look for specific signatures. 
If none are seen, there will be no alerts.

If you want to verify that snort will actually alert on something, then 
write a simple test rule: alert tcp any any -> any any (msg:"Testing"; 
rev:1; sid:1;).  This will alert for ALL traffic, so if there's any traffic 
at all and snort is working properly, your logfile will grow quite large 
very quickly.





--On November 26, 2012 11:10:43 AM -0700 honeybadger () q com wrote:


I have been trying to figure out log problems....

Since then you all are saying that BY2 was a red herring I am trying to
find what is the problem in the snort.config file with no success.

It looks like snort is starting ok, pulled pork is checking rules and it
says it is running.

But no output in /var/log.

Any ideas all?




-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: