Snort mailing list archives
Re: First time snorting ... ERROR: The dynamic detection library ...
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 15 Nov 2013 12:15:20 -0500
On 11/15/2013 8:28 AM, Alan McKay wrote:
On Thu, Nov 14, 2013 at 7:41 PM, waldo kitty <wkitty42 () windstream net> wrote:ok... try adding "-k none" before your "-c" or after your "eth0"...I did that and still no luck - still empty pcap filesnow we need to see the rest of the output when you shut down snort... that will give us the statistics of traffic that it has seen, if any at all...I've updated this with the shutdown info.
*** Caught Int-Signal =============================================================================== Run time for packet processing was 245.17417 seconds Snort processed 14030 packets. Snort ran for 0 days 0 hours 4 minutes 5 seconds Pkts/min: 3507 Pkts/sec: 57 =============================================================================== Packet I/O Totals: Received: 14030 Analyzed: 14030 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== this shows that your snort IS seeing traffic and analyzing it... at this point, i would try what i posted about some time back... let me see if i can find the post and paste it here for you... i probably should create a FAQ entry if one doesn't already cover this test... [time passes] found one of them ;) [QUOTE]
Why snort is not logging?
you mean like alerting on any traffic? sure... we use the following rules in a file named local-test.rules... just like local.rules, put it in place with the proper permissions, add it to your snort.conf and restart snort... only let it run a minute because it can generate thousands of alerts per second depending on your traffic and your machine's capabilities... then edit your snort.conf to comment it out or remove it and restart your snort... then you can look at your alert and log files to see if traffic was recorded... if it was, then things are working properly... if it was not, then we have to look deeper... ----- snip ----- # # The rules in this file are only to test a snort installation to see if it is # seeing any traffic at all. These rules should NOT be used all the time. Once # tested and working, this rule file should be commented out in your snort.conf # so that it is not used. # #------------------ # LOCAL TEST RULES #------------------ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; classtype:tcp-connection; sid:1; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; classtype:tcp-connection; sid:2; rev:1;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; classtype:unknown; sid:3; rev:1;) alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; classtype:unknown; sid:4; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; classtype:misc-activity; sid:5; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; classtype:misc-activity; sid:6; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; classtype:icmp-event; sid:7; rev:1;) alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; classtype:icmp-event; sid:8; rev:1;) ----- snip ----- [/QUOTE] [time returns to the present]
While it was running I did a couple of "nmap -O" against it from another machine on the internet (my home server) and also did an infinite loop trying to ssh into it and kept getting repeated errors about publickey ... so both of those should have triggered something no?
no, not unless there was something about those packets to trigger an alert rule... try the above and see if any traffic at all is logged... it should be and you shouldn't have to try to do anything specific other than simply accessing that machine ;) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: First time snorting ... ERROR: The dynamic detection library ..., (continued)
- Re: First time snorting ... ERROR: The dynamic detection library ... Alan McKay (Nov 14)
- Re: First time snorting ... ERROR: The dynamic detection library ... Alan McKay (Nov 14)
- Re: First time snorting ... ERROR: The dynamic detection library ... waldo kitty (Nov 14)
- Re: First time snorting ... ERROR: The dynamic detection library ... Alan McKay (Nov 14)
- Re: First time snorting ... ERROR: The dynamic detection library ... waldo kitty (Nov 14)
- Re: First time snorting ... ERROR: The dynamic detection library ... Alan McKay (Nov 14)
- Re: First time snorting ... ERROR: The dynamic detection library ... waldo kitty (Nov 14)
- Re: First time snorting ... ERROR: The dynamic detection library ... Alan McKay (Nov 15)
- Re: First time snorting ... ERROR: The dynamic detection library ... Y M (Nov 15)
- Re: First time snorting ... ERROR: The dynamic detection library ... Alan McKay (Nov 15)
- Re: First time snorting ... ERROR: The dynamic detection library ... waldo kitty (Nov 15)
- Re: First time snorting ... ERROR: The dynamic detection library ... Alan McKay (Nov 15)
- Re: First time snorting ... ERROR: The dynamic detection library ... Alan McKay (Nov 19)
- Re: First time snorting ... ERROR: The dynamic detection library ... waldo kitty (Nov 19)
- Re: First time snorting ... ERROR: The dynamic detection library ... Alan McKay (Nov 19)
- Re: First time snorting ... ERROR: The dynamic detection library ... Alan McKay (Nov 19)
- Re: First time snorting ... ERROR: The dynamic detection library ... waldo kitty (Nov 19)
- Re: First time snorting ... ERROR: The dynamic detection library ... waldo kitty (Nov 19)