Snort mailing list archives
Re: no IDS logs from snort
From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 09 Mar 2013 14:46:45 -0500
On 3/9/2013 14:23, Ray Caparros wrote:
Kevin, Looking at your config file, none of your output plugins are active. I would at least turn on syslog or the log_tcpdump.log. Hope this helps!
i have /never/ defined any output plugins in snort... it has at least two defaults... the first creates a plain ASCII text alert file and the second creates a pcap file for each execution of snort... the contents are pcaps of each packet of traffic that caused an alert to be written to the alert file... this problem is related to something else... i've seen it numerous other times in another firewall project and it has only recently started with the 2.9 series of snorts... in our case, we've found that the conf file distributed with our compile of snort contains dotted paths but we don't know "where we are" when those paths are encountered... snort runs but doesn't log... we change those dotted paths to fully defined paths, restart snort and then things seem to start working... the dotted paths we have seen are not related to the placement of the log files... we're not even certain that these dotted paths are the problem but we know that we change them in all cases when they appear... we fixed the dotted paths in our distributed conf file and i don't recall recent reports since then... but not a lot of folks use snort, either... many want something like an anti-virus tool that fits all systems and networks... they don't want to learn why the rules are alerting which leads them deeper into networking mechanics than they care to go... they don't want to have to deal with blocks and figuring out which rule caused such a block and then to decide which one of several methods would be the best to use to "fix" that rule... sometimes you might just completely disable a rule in snort... or you may tell your reactive control tools to ignore those alerts from that rule... you might want something more refined where that rule is applied to all traffic except that from certain sites... snort's threshold file may cover this for you or, again, you may be able to handle it in your reactive control tool... that's only 2 scenarios with at least two options each... NOTE: i do not work for VRT or sourcefire... the conf i speak of distributing above is for snort as used on another product...
-Ray On Sat, Mar 9, 2013 at 12:02 AM, Kevin Thomas <axel2078 () gmail com <mailto:axel2078 () gmail com>> wrote: Here is a little more information. This is what I get when I run a test against the snort.conf file: -----snip----== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.4 GRE (Build 40) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 8.31 2012-07-06 Using ZLIB version: 1.2.7---- ------snip------ Snort successfully validated the configuration! Snort exiting Here is a snippet from /var/log/messages. Mar 6 23:39:06 ipfire snort[26313]: Log directory = /var/log/snort Mar 6 23:39:09 ipfire snort[26313]: Memcap used for logging URI and Hostname: 150994944 Mar 6 23:39:16 ipfire snort[26313]: Max number of dialogs in a session: 4 (Default) Mar 6 23:39:20 ipfire snort[26313]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log Anyone have any idea why snort isn't writing to the log files? Kevin On 3/8/2013 4:44 PM, Kevin Thomas wrote: > I posted an email about this on March 6th, but for brevity's sake, I'll just rehash the important stuff: > > - snort isn't logging anything, but it is running. > - it is creating empty files > - snort version is 2.9.4 and snort.conf is version 2.9.1.1 > - system was installed (snort activated) around mid-Feb.) > > These is the result from ps -ef: > > /usr/sbin/snort -c /etc/snort/snort.conf -i red0 -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run/ > > This the contents of my /var/log/snort directory. As you can see, it's creating files, but they are all empty. > > -rw-r--r-- 1 root root 0 2013-03-03 00:01 alert > -rw-r--r-- 1 root root 20 2013-03-03 00:01 alert.1.gz > -rw-r--r-- 1 root root 20 2013-02-24 00:01 alert.2.gz > -rw-r--r-- 1 root root 20 2013-02-17 00:01 alert.3.gz > -rw-r--r-- 1 root root 20 2013-02-03 00:02 alert.5.gz > -rw-r--r-- 1 root root 24 2013-02-10 10:27 snort.log.1360513061 > -rw-r--r-- 1 root root 0 2013-02-10 18:29 snort.log.1360542580 > -rw-r--r-- 1 root root 0 2013-03-02 14:01 snort.log.1362254506 > -rw-r--r-- 1 root root 0 2013-03-02 14:59 snort.log.1362257974 > -rw-r--r-- 1 root root 0 2013-03-07 00:03 snort.log.1362636207 > > These are all the snort files on my system: > > [root@ipfire snort]# find / -name snort > /etc/snort > /etc/rc.d/init.d/snort > /usr/sbin/snort > /usr/lib/snort > /var/log/snort > /var/ipfire/snort > > This is the contents of the /etc/snort directory. The files owned by root:root were created by me. > > -rw-r--r-- 1 root root 152 2013-03-06 18:13 readme.txt > drwxr-xr-x 2 nobody nobody 12288 2013-03-06 23:37 rules > -rw-r--r-- 1 nobody nobody 19506 2013-03-06 23:57 snort.conf > -rw-r--r-- 1 nobody nobody 19506 2013-02-16 11:03 snort.conf.orig > -rwxr-xr-x 1 root root 73 2013-03-06 18:38 snort-test.sh > -rwxr-xr-x 1 root root 29 2013-03-07 00:01 start.sh > -rwxr-xr-x 1 root root 28 2013-03-07 00:02 stop.sh > -rw-r--r-- 1 nobody nobody 160606 2013-02-16 11:03 unicode.map > -rw-r--r-- 1 root root 104 2013-03-07 00:03 vars > > Someone asked me in a separate email what my logging/output settings in snort.conf were. I think this is it. If not, let me know. > > > # config logdir: > (this line is blank - nothing here) > > ############################# > > # Step #6: Configure output plugins > # For more information, see Snort Manual, Configuring Snort - Output Modules > ################################################### > > # unified2 > # Recommended for most installs > # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types > > # Additional configuration for specific types of installs > # output alert_unified2: filename snort.alert, limit 128, nostamp > # output log_unified2: filename snort.log, limit 128, nostamp > > # syslog > # output alert_syslog: LOG_AUTH LOG_ALERT > > # pcap > # output log_tcpdump: tcpdump.log > > # database > # output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname> > # output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname> > > # prelude > # output alert_prelude > > # metadata reference data. do not modify these lines > include /etc/snort/rules/classification.config > include /etc/snort/rules/reference.config > > I think I read somewhere else that the variables below should say vars and not ipvars if you are not using IPv6 in your environment, which I am not. > > # taken from /etc/snort vars > #ipvar HOME_NET any > > # Set up the external network addresses. Leave as "any" in most situations > ipvar EXTERNAL_NET any > > # List of DNS servers on your network > #ipvar DNS_SERVERS $HOME_NET > > # List of SMTP servers on your network > ipvar SMTP_SERVERS $HOME_NET > > # List of web servers on your network > ipvar HTTP_SERVERS $HOME_NET > > # List of sql servers on your network > ipvar SQL_SERVERS $HOME_NET > > # List of telnet servers on your network > ipvar TELNET_SERVERS $HOME_NET > > # List of ssh servers on your network > ipvar SSH_SERVERS $HOME_NET > > # List of ftp servers on your network > ipvar FTP_SERVERS $HOME_NET > > Any help you guys could provide with this would be most appreciated. Thank you. > > Kevin
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- no IDS logs from snort Kevin Thomas (Mar 06)
- Re: no IDS logs from snort James Lay (Mar 07)
- Re: no IDS logs from snort Kevin Thomas (Mar 11)
- Re: no IDS logs from snort Kevin Thomas (Mar 08)
- Re: no IDS logs from snort Ray Caparros (Mar 09)
- Re: no IDS logs from snort waldo kitty (Mar 09)
- Re: no IDS logs from snort Kevin Thomas (Mar 08)
- Re: no IDS logs from snort waldo kitty (Mar 11)
- Re: no IDS logs from snort waldo kitty (Mar 11)
- Re: no IDS logs from snort Kevin Thomas (Mar 11)
- Re: no IDS logs from snort Ray Caparros (Mar 11)
- Re: no IDS logs from snort Joel Esler (Mar 11)
- Re: no IDS logs from snort waldo kitty (Mar 11)