Snort mailing list archives

Re: no IDS logs from snort


From: Kevin Thomas <axel2078 () gmail com>
Date: Fri, 08 Mar 2013 23:02:51 -0600

Here is a little more information.  This is what I get when I run a test 
against the snort.conf file:
-----snip----==
Initialization Complete ==--

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.4 GRE (Build 40)
    ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
            Using libpcap version 1.0.0
            Using PCRE version: 8.31 2012-07-06
            Using ZLIB version: 1.2.7----
------snip------
Snort successfully validated the configuration!
Snort exiting

Here is a snippet from /var/log/messages.

Mar  6 23:39:06 ipfire snort[26313]: Log directory = /var/log/snort
Mar  6 23:39:09 ipfire snort[26313]:       Memcap used for logging URI 
and Hostname: 150994944
Mar  6 23:39:16 ipfire snort[26313]:     Max number of dialogs in a 
session: 4 (Default)
Mar  6 23:39:20 ipfire snort[26313]: Rule application order: 
activation->dynamic->pass->drop->sdrop->reject->alert->log

Anyone have any idea why snort isn't writing to the log files?

Kevin


On 3/8/2013 4:44 PM, Kevin Thomas wrote:
I posted an email about this on March 6th, but for brevity's sake, I'll just rehash the important stuff:

- snort isn't logging anything, but it is running.
- it is creating empty files
- snort version is 2.9.4 and snort.conf is version 2.9.1.1
- system was installed (snort activated) around mid-Feb.)

These is the result from ps -ef:

/usr/sbin/snort -c /etc/snort/snort.conf -i red0 -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path 
/var/run/

This the contents of my /var/log/snort directory.  As you can see, it's creating files, but they are all empty.

-rw-r--r-- 1 root root  0 2013-03-03 00:01 alert
-rw-r--r-- 1 root root 20 2013-03-03 00:01 alert.1.gz
-rw-r--r-- 1 root root 20 2013-02-24 00:01 alert.2.gz
-rw-r--r-- 1 root root 20 2013-02-17 00:01 alert.3.gz
-rw-r--r-- 1 root root 20 2013-02-03 00:02 alert.5.gz
-rw-r--r-- 1 root root 24 2013-02-10 10:27 snort.log.1360513061
-rw-r--r-- 1 root root  0 2013-02-10 18:29 snort.log.1360542580
-rw-r--r-- 1 root root  0 2013-03-02 14:01 snort.log.1362254506
-rw-r--r-- 1 root root  0 2013-03-02 14:59 snort.log.1362257974
-rw-r--r-- 1 root root  0 2013-03-07 00:03 snort.log.1362636207

These are all the snort files on my system:

[root@ipfire snort]# find / -name snort
/etc/snort
/etc/rc.d/init.d/snort
/usr/sbin/snort
/usr/lib/snort
/var/log/snort
/var/ipfire/snort

This is the contents of the /etc/snort directory.  The files owned by root:root were created by me.

-rw-r--r-- 1 root   root      152 2013-03-06 18:13 readme.txt
drwxr-xr-x 2 nobody nobody  12288 2013-03-06 23:37 rules
-rw-r--r-- 1 nobody nobody  19506 2013-03-06 23:57 snort.conf
-rw-r--r-- 1 nobody nobody  19506 2013-02-16 11:03 snort.conf.orig
-rwxr-xr-x 1 root   root       73 2013-03-06 18:38 snort-test.sh
-rwxr-xr-x 1 root   root       29 2013-03-07 00:01 start.sh
-rwxr-xr-x 1 root   root       28 2013-03-07 00:02 stop.sh
-rw-r--r-- 1 nobody nobody 160606 2013-02-16 11:03 unicode.map
-rw-r--r-- 1 root   root      104 2013-03-07 00:03 vars

Someone asked me in a separate email what my logging/output settings in snort.conf were.  I think this is it.  If 
not, let me know.


# config logdir:
(this line is blank - nothing here)

#############################

# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################

# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp

# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

# database
# output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
# output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>

# prelude
# output alert_prelude

# metadata reference data.  do not modify these lines
include /etc/snort/rules/classification.config
include /etc/snort/rules/reference.config

I think I read somewhere else that the variables below should say vars and not ipvars if you are not using IPv6 in 
your environment, which I am not.

# taken from /etc/snort vars
#ipvar HOME_NET any

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any

# List of DNS servers on your network
#ipvar DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
ipvar SMTP_SERVERS $HOME_NET

# List of web servers on your network
ipvar HTTP_SERVERS $HOME_NET

# List of sql servers on your network
ipvar SQL_SERVERS $HOME_NET

# List of telnet servers on your network
ipvar TELNET_SERVERS $HOME_NET

# List of ssh servers on your network
ipvar SSH_SERVERS $HOME_NET

# List of ftp servers on your network
ipvar FTP_SERVERS $HOME_NET

Any help you guys could provide with this would be most appreciated.  Thank you.

Kevin






------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


Current thread: