Snort mailing list archives

Re: snort 2.9.4.6 not logging

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 19 Jul 2013 13:16:21 -0400

On 7/19/2013 09:30, Maged Shenouda wrote:

another updat, I think the black_list.rules file format is wrong. I changed the
file name back as it was and cleared the black_list.rules and restarted snort, I
didn't see that error in the system log.


what do you mean you "cleared" it? which black list file? black_list.rules or 
blacklist.rules?

But back again to the original issue, it is still not logging, when I restarted
the snort, it created the file in /var/log/nort but it is 0 byte not recording
anything?


does it see any traffic if you start it directly? stop the daemon instance and 
then run it straight

   snort

if it starts spitting data all over the screen, then it is seeing traffic...

then try it like this...

   snort -c /etc/snort/snort.conf

if it starts spitting data all over the screen, then it is seeing traffic with 
your config...

if either of the above fail, try adding "-k none" to the command line...

    snort -k none

OR

   snort -c /etc/snort/snort.conf -k none

and see what happens... then we can go from there...

 > Date: Thu, 18 Jul 2013 20:47:02 -0400
 > From: wkitty42 () windstream net
 > To: snort-users () lists sourceforge net
 > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
 >
 > On 7/18/2013 14:28, Maged Shenouda wrote:
 > > Here is the snort.conf file configuration
 > >
 > > ipvar HOME_NET 192.168.0.0/24
 > > ipvar EXTERNAL_NET any
 > > ipvar SMTP_SERVERS $HOME_NET
 > >
 > > and so on,,,, don't think the format is worng?
 >
 > you are correct... but wait! what are the names of your blacklist and whitelist
 > files as defined for the reputation processor? there is known confusion between
 > (EG:) GID:1 blacklist.rules and reputation processor black_list.rules files and
 > that is exacerbated when both sets reside in the same directory...
 >
 > the ones for the reputation processor are in simple IP and/or IP/CIDR format
 > whereas the others are in the standard text rules format... looking closer at
 > the error message, it specifically states "invalid IP address" which leads me to
 > believe that the file name(s) for your reputation processor are incorrect...
 >
 > so, check your snort.conf at the reputation processor and see what those file
 > names are that are specified there... then make sure that those names are /not/
 > included in the list of rules files at the bottom of snort.conf...
 >
 > [HINT: more specifically, one set of file names has an underscore '_' in it and
 > the other does not... watch for this and do not get confused by it...
 >
 > RECOMMENDATION: name the files specific to the reputation processor to something
 > significantly different than the normal textual blacklist rules file... maybe
 > RPP_black.rules and RPP_white.rules where RPP stands for Reputation
 > Preprocessor... anything that is different from the others and will alleviate
 > the confusion]
 >
 >
 > > > Date: Thu, 18 Jul 2013 13:55:36 -0400
 > > > From: wkitty42 () windstream net
 > > > To: snort-users () lists sourceforge net
 > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
 > > >
 > > > On 7/18/2013 13:38, Maged Shenouda wrote:
 > > > > Snort logging still not working evev after rmoving the -A -b parameters
 > > > >
 > > > > Any other clue?
 > > >
 > > > looking at the reply below... what is your HOME_NET set to?? have you
fixed it
 > > > to accurately cover your actual protected network(s)??
 > > >
 > > > >
 > >
--------------------------------------------------------------------------------
 > > > > From: jesler () sourcefire com
 > > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
 > > > > Date: Thu, 18 Jul 2013 11:55:25 -0400
 > > > > To: maged67 () hotmail com
 > > > >
 > > > > No, it looks like you have something messed up in your HOME_NET
 > > > >
 > > > >
 > > > > On Jul 18, 2013, at 11:48 AM, Maged Shenouda <maged67 () hotmail com
 > > > > <mailto:maged67 () hotmail com>> wrote:
 > > > >
 > > > > Also when snort started, it checked the black list rules and here is
part of
 > > > > system log
 > > > >
 > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing whitelist file
 > > /etc/snort/rules/white_list.rules
 > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Reputation entries loaded: 0,
 > > invalid: 0, re-defined: 0 (from file /etc/snort/rules/white_list.rules)
 > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing blacklist file
 > > /etc/snort/rules/black_list.rules
 > > > > Jul 18 11:17:29 mm-proxy snort[10868]: (22) => Invalid IP Address: alert
 > > udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
 > > domaindatajunction.org <http://datajunction.org/> - Gauss "; flow:to_server;
 > > byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|";
fast_pattern:only;
 > > metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
 > > service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
 > >
reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
 > >
<http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
 > > classtype:trojan-activity; sid:23802; rev:2;)
 > > > > Jul 18 11:17:29 mm-proxy snort[10868]: (23) => Invalid IP Address: alert
 > > udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
 > > domainguest-access.net <http://guest-access.net/> - Gauss "; flow:to_server;
 > > byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|";
fast_pattern:only;
 > > metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
 > > service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
 > >
reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
 > >
<http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
 > > classtype:trojan-activity; sid:23799; rev:2;)
 > > > >
 > > > > is there something wrong with the black list rules ??
 > > > >
 > > > >
 > >
--------------------------------------------------------------------------------
 > > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
 > > > > From: jesler () sourcefire com <mailto:jesler () sourcefire com>
 > > > > Date: Wed, 17 Jul 2013 12:02:40 -0400
 > > > > CC: lists.sourceforge.net <http://lists.sourceforge.net>
 > > > > snort-users () lists sourceforge net
<mailto:snort-users () lists sourceforge net>
 > > > > To: maged67 () hotmail com <mailto:maged67 () hotmail com>
 > > > >
 > > > > Remove your “-A full -b” from your command line. Those are overriding your
 > > > > unified2 output line in your snort.conf.
 > > > >
 > > > >
 > > > > On Jul 17, 2013, at 11:19 AM, Maged Shenouda <maged67 () hotmail com
 > > > > <mailto:maged67 () hotmail com>> wrote:
 > > > >
 > > > > I properly configured the snort.conf and installed all the source files
 > > > > for snort, barnyard2, daq...
 > > > > The problem is when I run the snort from the console, I can see that it
 > > > > is working fine but when I run the snort to read the snort.conf it
 > > > > doesn't save the log file at all
 > > > >
 > > > > /usr/local/bin/snort -A full -b -d -D -i eth0 -u snort -g snort -c
 > > > > /etc/snort/snort.conf -l /var/log/snort
 > > > >
 > > > > and off course since there is no log files, barnyard2 read an empty file
 > > > > and does not transfer it so mysql
 > > > >
 > > > > I am using SUSE Linux Enterprise 11 SP1 64bit. Realy need your help with
 > > > > this one
 > > > >
 > > > > Thanks




-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort 2.9.4.6 not logging Maged Shenouda (Jul 17)
- Re: snort 2.9.4.6 not logging Joel Esler (Jul 17)
  - Message not available
    - Message not available
    - Re: snort 2.9.4.6 not logging Maged Shenouda (Jul 18)
    - Re: snort 2.9.4.6 not logging waldo kitty (Jul 18)
    - Re: snort 2.9.4.6 not logging Maged Shenouda (Jul 18)
    - Re: snort 2.9.4.6 not logging waldo kitty (Jul 18)
    - Re: snort 2.9.4.6 not logging Maged Shenouda (Jul 19)
    - Re: snort 2.9.4.6 not logging waldo kitty (Jul 19)
    - Re: snort 2.9.4.6 not logging Maged Shenouda (Jul 19)
    - Re: snort 2.9.4.6 not logging Maged Shenouda (Jul 19)
    - Re: snort 2.9.4.6 not logging waldo kitty (Jul 19)
    - Re: snort 2.9.4.6 not logging Maged Shenouda (Jul 19)
    - Re: snort 2.9.4.6 not logging waldo kitty (Jul 19)
    - Message not available
    - FW: snort 2.9.4.6 not logging Maged Shenouda (Jul 23)
    - Re: FW: snort 2.9.4.6 not logging waldo kitty (Jul 23)
    - Re: FW: snort 2.9.4.6 not logging Maged Shenouda (Jul 23)
    - Re: FW: snort 2.9.4.6 not logging waldo kitty (Jul 23)
    - Re: FW: snort 2.9.4.6 not logging Maged Shenouda (Jul 23)