Re: SNORT has stopped alerting

[Y M <snort () outlook com>]

In addition to what Joel suggested, please see my comments below:

From: robert.farnsworth () hp com
To: snort () outlook com
CC: snort-users () lists sourceforge net
Subject: RE: [Snort-users] SNORT has stopped alerting
Date: Wed, 16 Jul 2014 18:53:26 +0000









I’ve tried to answer these the best I could. See Below.
 
 
1. Which output plugin are you using in your snort.conf (syslog, unified2, etc..)?
# Additional configuration for specific types of installs
output alert_unified2: filename snort.alert, limit 128, nostamp
output log_unified2: filename snort.log, limit 128, nostamp
 It is recommended to use the unified2 plugin instead of the alert_unified2 and log_unified2. Then you can use the 
u2spewfoo (comes with snort) tool to read the unified2 log file:
output unified2: filename snort.log, limit 128, nostamp

# syslog
output alert_syslog: LOG_AUTH LOG_ALERT
Though the syslog output plugin works, it gives a warning and maybe deprecated as I came to know recently. You may want 
to use Barnyard2 in the future to handle syslog logging.
 
2. Where are you outputting the alerts (directory, database, barnyard2)?
Directory  -
/var/log/snortlogs
This is okay since you are outputting to this directory.
 
3. What is the final destination of the alerts (database, binary, text)?
 
Not sure about this sorry I am a novice to SNORT/UNIX, they are forwarded to an e-mail address. (Not sure if that is 
what you’re asking. )
This was to know how do you keep the logs at rest. You certainly answered these in 2 and 3.
 
4. How are you viewing the alert data (console, GUI)?
 
Console
Okay.
 
5. What are the rules/rules files included in snort.conf?
 
# site specific rules
include $RULE_PATH/local.rules
 
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/blacklist.rules
include $RULE_PATH/botnet-cnc.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/community.rules
include $RULE_PATH/content-replace.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/info.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/phishing-spam.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/scada.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/specific-threats.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/voip.rules
include $RULE_PATH/web-activex.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/x11.rules
 
 
# decoder and preprocessor event rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules
 
###################################################
# Step #9: Customize your Shared Object Snort Rules
# For more information, see http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html
###################################################
 
# dynamic library rules
include $SO_RULE_PATH/bad-traffic.rules
include $SO_RULE_PATH/chat.rules
include $SO_RULE_PATH/dos.rules
include $SO_RULE_PATH/exploit.rules
include $SO_RULE_PATH/icmp.rules
include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
include $SO_RULE_PATH/sql.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-iis.rules
include $SO_RULE_PATH/web-misc.rules
 
 
 This looks good. While Snort is running, if you tail snort.alert (tail -f /var/log/snortlogs/snort.alert), do you see 
any data being added? Also, when check the syslog (dependent on your Linux distro - /var/log/syslog or 
/var/log/messages), do you see any alerts there?
 
 
 
 


From: Y M [mailto:snort () outlook com]


Sent: Wednesday, July 16, 2014 2:39 PM

To: Farnsworth, Robert

Cc: snort-users

Subject: RE: [Snort-users] SNORT has stopped alerting


 


If more information is provided, you will get a better help:


 


1. Which output plugin are you using in your snort.conf (syslog, unified2, etc..)?


2. Where are you outputting the alerts (directory, database, barnyard2)?


3. What is the final destination of the alerts (database, binary, text)?

4. How are you viewing the alert data (console, GUI)?


5. What are the rules/rules files included in snort.conf?


 


If this was double posted, I blame the browser!


 


YM





From:
robert.farnsworth () hp com

To: snort-users () lists sourceforge net

Date: Wed, 16 Jul 2014 17:45:26 +0000

Subject: [Snort-users] SNORT has stopped alerting

I have stopped receiving ALERTs from snort, I have checked and yes it is running, any troubleshooting tips would be 
appreciated.




------------------------------------------------------------------------------ Want fast and easy access to all the 
code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the 
same software that powers
 the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. 
http://p.sf.net/sfu/bds

_______________________________________________ Snort-users mailing list 
Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit
http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!