Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Log problems

From: Ron Sinclair <unixfool () gmail com>
Date: Tue, 27 Nov 2012 19:42:46 -0500
So, what were the issues?


On Nov 27, 2012, at 3:53 PM, honeybadger () q com wrote:


Paul, 


Thanks very much. 

Thanks to you and the others here, I managed to fix the issues and learn a lot. 

Steve

Paul Schmehl <pschmehl_lists () tx rr com> wrote:
Here's how snort works when coupled with barnyard2 and mysql.

Snort listens on a NIC and, when an alert is triggered, writes to a 
unified2 log file.

So, step 1 in troubleshooting is to verify that the NIC is in promiscuous 
mode.  In general, if you run ifconfig, it should look like this for one of 
the NICs on the host:
bce1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 
mtu 1500

PROMISC means promiscuous mode.

Step 2 is to verify that the NIC is seeing traffic.  This can be done 
easily by running tcpdump like this: tcpdump -i bce1 (on most Linux boxes 
it will be eth0 or eth1)

If you see traffic, you need to move on to verifying that snort is working.

Start snort in console mode with the Test switch - snort -T -c 
/path/to/snort/confile

If there are any errors, they are usually self-explanatory.  E.g. ipvar not 
found, missing semi-colon on line 129 of snort.rulefile, etc.

Fix all those errors until snort runs without errors.  If it's working 
correctly, you should see this at the end:

Snort successfully validated the configuration!
Snort exiting

Once you have verified that 1) the NIC is listening and 2) the NIC sees 
traffic and 3) snort runs without errors using your conf file, the only 
thing left is the rules files you're using.

Remember, snort is an IDS.  It's designed to look for specific signatures. 
If none are seen, there will be no alerts.

If you want to verify that snort will actually alert on something, then 
write a simple test rule: alert tcp any any -> any any (msg:"Testing"; 
rev:1; sid:1;).  This will alert for ALL traffic, so if there's any traffic 
at all and snort is working properly, your
logfile will grow quite large 
very quickly.





--On November 26, 2012 11:10:43 AM -0700 honeybadger () q com wrote:

I have been trying to figure out log problems....

Since then you all are saying that BY2 was a red herring I am trying to
find what is the problem in the snort.config file with no success.

It looks like snort is starting ok, pulled pork is checking rules and it
says it is running.

But no output in /var/log.

Any ideas all?



-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
DESIGN Expert tips on starting your parallel project right.
http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: