Re: no IDS logs from snort

[waldo kitty <wkitty42 () windstream net>]

On 3/9/2013 14:23, Ray Caparros wrote:
> Kevin,
>
> Looking at your config file, none of your output plugins are active. I would at
> least turn on syslog or the log_tcpdump.log. Hope this helps!

i have /never/ defined any output plugins in snort... it has at least two 
defaults... the first creates a plain ASCII text alert file and the second 
creates a pcap file for each execution of snort... the contents are pcaps of 
each packet of traffic that caused an alert to be written to the alert file...

this problem is related to something else... i've seen it numerous other times 
in another firewall project and it has only recently started with the 2.9 series 
of snorts...

in our case, we've found that the conf file distributed with our compile of 
snort contains dotted paths but we don't know "where we are" when those paths 
are encountered... snort runs but doesn't log... we change those dotted paths to 
fully defined paths, restart snort and then things seem to start working... the 
dotted paths we have seen are not related to the placement of the log files... 
we're not even certain that these dotted paths are the problem but we know that 
we change them in all cases when they appear... we fixed the dotted paths in our 
distributed conf file and i don't recall recent reports since then...

but not a lot of folks use snort, either... many want something like an 
anti-virus tool that fits all systems and networks... they don't want to learn 
why the rules are alerting which leads them deeper into networking mechanics 
than they care to go... they don't want to have to deal with blocks and figuring 
out which rule caused such a block and then to decide which one of several 
methods would be the best to use to "fix" that rule... sometimes you might just 
completely disable a rule in snort... or you may tell your reactive control 
tools to ignore those alerts from that rule... you might want something more 
refined where that rule is applied to all traffic except that from certain 
sites... snort's threshold file may cover this for you or, again, you may be 
able to handle it in your reactive control tool... that's only 2 scenarios with 
at least two options each...

NOTE: i do not work for VRT or sourcefire... the conf i speak of distributing 
above is for snort as used on another product...

> -Ray
>
>
> On Sat, Mar 9, 2013 at 12:02 AM, Kevin Thomas <axel2078 () gmail com
> <mailto:axel2078 () gmail com>> wrote:
>
>     Here is a little more information.  This is what I get when I run a test
>     against the snort.conf file:
>     -----snip----==
>     Initialization Complete ==--
>
>          ,,_     -*> Snort! <*-
>         o"  )~   Version 2.9.4 GRE (Build 40)
>     ''''    By Martin Roesch & The Snort Team:
>     http://www.snort.org/snort/snort-team
>                  Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>                  Using libpcap version 1.0.0
>                  Using PCRE version: 8.31 2012-07-06
>                  Using ZLIB version: 1.2.7----
>     ------snip------
>     Snort successfully validated the configuration!
>     Snort exiting
>
>     Here is a snippet from /var/log/messages.
>
>     Mar  6 23:39:06 ipfire snort[26313]: Log directory = /var/log/snort
>     Mar  6 23:39:09 ipfire snort[26313]:       Memcap used for logging URI
>     and Hostname: 150994944
>     Mar  6 23:39:16 ipfire snort[26313]:     Max number of dialogs in a
>     session: 4 (Default)
>     Mar  6 23:39:20 ipfire snort[26313]: Rule application order:
>     activation->dynamic->pass->drop->sdrop->reject->alert->log
>
>     Anyone have any idea why snort isn't writing to the log files?
>
>     Kevin
>
>
>     On 3/8/2013 4:44 PM, Kevin Thomas wrote:
>      > I posted an email about this on March 6th, but for brevity's sake, I'll
>     just rehash the important stuff:
>      >
>      > - snort isn't logging anything, but it is running.
>      > - it is creating empty files
>      > - snort version is 2.9.4 and snort.conf is version 2.9.1.1
>      > - system was installed (snort activated) around mid-Feb.)
>      >
>      > These is the result from ps -ef:
>      >
>      > /usr/sbin/snort -c /etc/snort/snort.conf -i red0 -D -l /var/log/snort
>     --create-pidfile --nolock-pidfile --pid-path /var/run/
>      >
>      > This the contents of my /var/log/snort directory.  As you can see, it's
>     creating files, but they are all empty.
>      >
>      > -rw-r--r-- 1 root root  0 2013-03-03 00:01 alert
>      > -rw-r--r-- 1 root root 20 2013-03-03 00:01 alert.1.gz
>      > -rw-r--r-- 1 root root 20 2013-02-24 00:01 alert.2.gz
>      > -rw-r--r-- 1 root root 20 2013-02-17 00:01 alert.3.gz
>      > -rw-r--r-- 1 root root 20 2013-02-03 00:02 alert.5.gz
>      > -rw-r--r-- 1 root root 24 2013-02-10 10:27 snort.log.1360513061
>      > -rw-r--r-- 1 root root  0 2013-02-10 18:29 snort.log.1360542580
>      > -rw-r--r-- 1 root root  0 2013-03-02 14:01 snort.log.1362254506
>      > -rw-r--r-- 1 root root  0 2013-03-02 14:59 snort.log.1362257974
>      > -rw-r--r-- 1 root root  0 2013-03-07 00:03 snort.log.1362636207
>      >
>      > These are all the snort files on my system:
>      >
>      > [root@ipfire snort]# find / -name snort
>      > /etc/snort
>      > /etc/rc.d/init.d/snort
>      > /usr/sbin/snort
>      > /usr/lib/snort
>      > /var/log/snort
>      > /var/ipfire/snort
>      >
>      > This is the contents of the /etc/snort directory.  The files owned by
>     root:root were created by me.
>      >
>      > -rw-r--r-- 1 root   root      152 2013-03-06 18:13 readme.txt
>      > drwxr-xr-x 2 nobody nobody  12288 2013-03-06 23:37 rules
>      > -rw-r--r-- 1 nobody nobody  19506 2013-03-06 23:57 snort.conf
>      > -rw-r--r-- 1 nobody nobody  19506 2013-02-16 11:03 snort.conf.orig
>      > -rwxr-xr-x 1 root   root       73 2013-03-06 18:38 snort-test.sh
>      > -rwxr-xr-x 1 root   root       29 2013-03-07 00:01 start.sh
>      > -rwxr-xr-x 1 root   root       28 2013-03-07 00:02 stop.sh
>      > -rw-r--r-- 1 nobody nobody 160606 2013-02-16 11:03 unicode.map
>      > -rw-r--r-- 1 root   root      104 2013-03-07 00:03 vars
>      >
>      > Someone asked me in a separate email what my logging/output settings in
>     snort.conf were.  I think this is it.  If not, let me know.
>      >
>      >
>      > # config logdir:
>      > (this line is blank - nothing here)
>      >
>      > #############################
>      >
>      > # Step #6: Configure output plugins
>      > # For more information, see Snort Manual, Configuring Snort - Output Modules
>      > ###################################################
>      >
>      > # unified2
>      > # Recommended for most installs
>      > # output unified2: filename merged.log, limit 128, nostamp,
>     mpls_event_types, vlan_event_types
>      >
>      > # Additional configuration for specific types of installs
>      > # output alert_unified2: filename snort.alert, limit 128, nostamp
>      > # output log_unified2: filename snort.log, limit 128, nostamp
>      >
>      > # syslog
>      > # output alert_syslog: LOG_AUTH LOG_ALERT
>      >
>      > # pcap
>      > # output log_tcpdump: tcpdump.log
>      >
>      > # database
>      > # output database: alert, <db_type>, user=<username> password=<password>
>     test dbname=<name> host=<hostname>
>      > # output database: log, <db_type>, user=<username> password=<password>
>     test dbname=<name> host=<hostname>
>      >
>      > # prelude
>      > # output alert_prelude
>      >
>      > # metadata reference data.  do not modify these lines
>      > include /etc/snort/rules/classification.config
>      > include /etc/snort/rules/reference.config
>      >
>      > I think I read somewhere else that the variables below should say vars
>     and not ipvars if you are not using IPv6 in your environment, which I am not.
>      >
>      > # taken from /etc/snort vars
>      > #ipvar HOME_NET any
>      >
>      > # Set up the external network addresses. Leave as "any" in most situations
>      > ipvar EXTERNAL_NET any
>      >
>      > # List of DNS servers on your network
>      > #ipvar DNS_SERVERS $HOME_NET
>      >
>      > # List of SMTP servers on your network
>      > ipvar SMTP_SERVERS $HOME_NET
>      >
>      > # List of web servers on your network
>      > ipvar HTTP_SERVERS $HOME_NET
>      >
>      > # List of sql servers on your network
>      > ipvar SQL_SERVERS $HOME_NET
>      >
>      > # List of telnet servers on your network
>      > ipvar TELNET_SERVERS $HOME_NET
>      >
>      > # List of ssh servers on your network
>      > ipvar SSH_SERVERS $HOME_NET
>      >
>      > # List of ftp servers on your network
>      > ipvar FTP_SERVERS $HOME_NET
>      >
>      > Any help you guys could provide with this would be most appreciated.
>       Thank you.
>      >
>      > Kevin


------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!