Re: Snort and Proxmox

[Jeremy Hoel <jthoel () gmail com>]

Ok, so snort is up, and you say its seeing all packets, but the rules
aren't firing?  What is your snort output set as?  Hve you tried using
syslog or portfast just so you can see the output vs it going to a
binary file?

Also, please reply to the list, so that others might be able to chime
in or help out.

On Mon, Jan 28, 2013 at 7:55 PM, Josh Bitto <jbitto () onlineschool ca> wrote:
> Ok I got that working again....On to my original issue.....Yes I was able to do a tcpdump on both interfaces (WAN and 
> LAN) they both are listening to packets.
>
> -----Original Message-----
> From: Jeremy Hoel [mailto:jthoel () gmail com]
> Sent: Monday, January 28, 2013 11:33 AM
> To: Josh Bitto
> Subject: Re: [Snort-users] Snort and Proxmox
>
> Check the system logs to see if it gives you an error message.  If it's set to start, but then isn't running after 
> boot, it probably failed for some reason. Snort is pretty good about telling you why it stopped.
>
> On Mon, Jan 28, 2013 at 7:19 PM, Josh Bitto <jbitto () onlineschool ca> wrote:
> > Well to further my problem......Last week it was working fine. I come in this morning to start working and start up 
> > the VM's and I'm showing the service not even running in PFsense. I restart everything even reinstall the snort 
> > package. Even on boot up it shows snort service started......but looking at top and also via the web gui it actually 
> > isn't running.....Any ideas?
> >
> >
> >
> >
> > -----Original Message-----
> > From: Jeremy Hoel [mailto:jthoel () gmail com]
> > Sent: Monday, January 28, 2013 11:13 AM
> > To: Josh Bitto
> > Cc: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] Snort and Proxmox
> >
> > You should start with running TCPdump on the listening interface on the snort box to make sure it's seeing the 
> > packets you expect it to see.
> >
> >
> >
> > On Mon, Jan 28, 2013 at 5:12 PM, Josh Bitto <jbitto () onlineschool ca> wrote:
> > > Hello Everyone,
> > >
> > >
> > >
> > > I'm new on using snort and I'm needing to lean on your expertise.
> > > We've decided to use snort on our network and in doing so I've setup
> > > a small test lab away from the actual network to see how this IDS works.
> > > So here's the problem.....I can't get snort to show any logs. I want
> > > to be able to see if it's actually working or not.
> > >
> > >
> > >
> > > I set up a stand-alone server with proxmox on it.
> > >
> > >
> > >
> > > Created 2 VM's
> > >
> > >
> > >
> > > One is Pfsense
> > >
> > > The other is just a xp machine.
> > >
> > >
> > >
> > > In proxmox interface.conf looks like this.
> > >
> > >
> > >
> > > Config looks like this:
> > >
> > > Auto lo
> > >
> > > Iface lo inet loopback
> > >
> > >
> > >
> > > Auto VMbr0
> > >
> > > Iface vmbr0 inet static
> > >
> > >                 Address 192.168.3.15
> > >
> > >                 Netmask  255.255.252.0
> > >
> > >                 Gateway 192.168.1.1
> > >
> > >                 Bridge_ports eth0
> > >
> > >                 Bridge_stp off
> > >
> > >                 Bridge_fd 0
> > >
> > >
> > >
> > > Auto vmbr1
> > >
> > > Iface vmbr1 inet manual
> > >
> > >                 Bridge_ports eth1
> > >
> > >                 Bridge_stp off
> > >
> > >                 Bridge_fd 0
> > >
> > >
> > >
> > >
> > >
> > > I did everything to spec in pfsense....its pretty straight forward.
> > >
> > > 1.       Setup the interface on pfsense to match in proxmox
> > >
> > > 2.       Downloaded the snort package
> > >
> > > 3.       Obtained a oinkmaster code
> > >
> > > 4.       Created the WAN interface in snort.
> > >
> > > 5.       Checked ALL the rules to activate them.
> > >
> > > 6.       Even restarted both pfsense and the snort service.
> > >
> > >
> > >
> > > I just for some reason can't get the darn thing to log events....as a
> > > test. I activated teamviewer rules and tried to block an event and
> > > couldn't get it to do that. So my thinking is....Its somewhere at the
> > > interface. I just don't know what I need to do. Any help would be greatful!
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Josh
> > >
> > >
> > > ---------------------------------------------------------------------
> > > -
> > > -------- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012,
> > > HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your
> > > skills current with LearnDevNow - 3,200 step-by-step video tutorials
> > > by Microsoft MVPs and experts. ON SALE this month only -- learn more
> > > at:
> > > http://p.sf.net/sfu/learnnow-d2d
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!