Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SNORT has stopped alerting

From: Jeremy Hoel <jthoel () gmail com>
Date: Tue, 22 Jul 2014 16:17:01 +0000
https://www.snort.org/configurations



On Tue, Jul 22, 2014 at 3:56 PM, Farnsworth, Robert <
robert.farnsworth () hp com> wrote:


 Guys, it was recommended last week that I update my snort.conf file, can
someone point me in the direction to get that file, and once this is put in
place will more changes be needed to snort?



Thanks for all your help.



Robert



*From:* Y M [mailto:snort () outlook com]
*Sent:* Thursday, July 17, 2014 11:30 AM

*To:* Farnsworth, Robert
*Cc:* snort-users
*Subject:* RE: [Snort-users] SNORT has stopped alerting




 ------------------------------

From: robert.farnsworth () hp com
To: snort () outlook com
CC: snort-users () lists sourceforge net
Subject: RE: [Snort-users] SNORT has stopped alerting
Date: Thu, 17 Jul 2014 15:19:11 +0000

Sorry I do not remember seeing any changes needed to the snort.conf file.



For example, using the unified2 output plugin.



It was recommended to add a new snort.conf but no I have not done that.



I am running this same config. on another server with no issues.



This is the command line we run for snort.



*/usr/local/bin/snort -A full -s -l /var/log/snortlogs -D -c
/usr/local/snort/etc*



In your command, by using "-A full" you are overriding the output plugin
defined in your snort.conf. Hence, your the output plugin in your
snort.conf was not working, instead, the "-A full" output was/is being
utilized. By default, Snort will attempt a create a log file with the name
"alert" under /var/log/snort. If you haven't changed the default logging
directory, you should find it there.



Simply, drop the "-A full" from your command and you should be good to go.



YM



*From:* Y M [mailto:snort () outlook com <snort () outlook com>]
*Sent:* Thursday, July 17, 2014 10:57 AM
*To:* Farnsworth, Robert
*Cc:* snort-users
*Subject:* RE: [Snort-users] SNORT has stopped alerting




 ------------------------------

From: robert.farnsworth () hp com
To: snort () outlook com
CC: snort-users () lists sourceforge net
Subject: RE: [Snort-users] SNORT has stopped alerting
Date: Thu, 17 Jul 2014 14:20:54 +0000

OK, we don’t have TCPDUMP on our Solaris server but I did run snoop in
verbose mode, and see a lot of TCP traffic I did not notice anything for
SSH, HTTP, etc.



The traffic you would see will depend on what are you expecting to see on
the link monitored. If Snort is monitoring a link with all users activities
and what not, then you should be seeing HTTP/S traffic, But if your sensor
is monitoring a peculiar network segment, then look for the traffic you
would expect to see on that segment.



I started snort with the –k  none option and it did create a new log it
334791 Jul 17 10:10 snort.log.1405605977, but I still get nothing in my
alert log or the snort.log, file.



Please post your command line you use to run Snort. Also, did you make the
necessary change in your snort.conf file as suggested earlier?



YM



*From:* Y M [mailto:snort () outlook com <snort () outlook com>]
*Sent:* Wednesday, July 16, 2014 4:16 PM
*To:* Farnsworth, Robert
*Cc:* snort-users
*Subject:* RE: [Snort-users] SNORT has stopped alerting



Ok, can you verify that the NIC is getting packets, using tcpdump:



tcpdump -i ethX -nnXvv



Look for packets you are expecting to see, for example http, ssh, etc..
Also, if your run Snort with -k none, does anything change in the logs? If
you can, run Snort in console mode (-A cmg) with the -k none, and let it
run for a minute or so to see if it is getting packets and alerting based
on packets captured.



YM
 ------------------------------

From: robert.farnsworth () hp com
To: snort () outlook com
CC: snort-users () lists sourceforge net
Subject: RE: [Snort-users] SNORT has stopped alerting
Date: Wed, 16 Jul 2014 20:07:30 +0000

See Responses:



This looks good. While Snort is running, if you tail snort.alert (tail -f
/var/log/snortlogs/snort.alert), do you see any data being added?

Nothing new is being added to this file. (var/log/snortlogs/snort.alert)



Also, when check the syslog (dependent on your Linux distro -
/var/log/syslog or /var/log/messages), do you see any alerts there?



This is a Solaris system and we are getting alerts in /var/adm/messages (I
don’t see anything for snort)





*From:* Y M [mailto:snort () outlook com <snort () outlook com>]
*Sent:* Wednesday, July 16, 2014 3:44 PM
*To:* Farnsworth, Robert
*Cc:* snort-users
*Subject:* RE: [Snort-users] SNORT has stopped alerting



In addition to what Joel suggested, please see my comments below:
 ------------------------------

From: robert.farnsworth () hp com
To: snort () outlook com
CC: snort-users () lists sourceforge net
Subject: RE: [Snort-users] SNORT has stopped alerting
Date: Wed, 16 Jul 2014 18:53:26 +0000

I’ve tried to answer these the best I could. See Below.





1. Which output plugin are you using in your snort.conf (syslog, unified2,
etc..)?

# Additional configuration for specific types of installs

output alert_unified2: filename snort.alert, limit 128, nostamp

output log_unified2: filename snort.log, limit 128, nostamp



It is recommended to use the unified2 plugin instead of the alert_unified2
and log_unified2. Then you can use the u2spewfoo (comes with snort) tool to
read the unified2 log file:



output unified2: filename snort.log, limit 128, nostamp



# syslog

output alert_syslog: LOG_AUTH LOG_ALERT



Though the syslog output plugin works, it gives a warning and maybe
deprecated as I came to know recently. You may want to use Barnyard2 in the
future to handle syslog logging.



2. Where are you outputting the alerts (directory, database, barnyard2)?

Directory  - */var/log/snortlogs*



This is okay since you are outputting to this directory.



3. What is the final destination of the alerts (database, binary, text)?



Not sure about this sorry I am a novice to SNORT/UNIX, they are forwarded
to an e-mail address. (Not sure if that is what you’re asking. )



This was to know how do you keep the logs at rest. You certainly answered
these in 2 and 3.



4. How are you viewing the alert data (console, GUI)?



Console



Okay.



5. What are the rules/rules files included in snort.conf?



# site specific rules

include $RULE_PATH/local.rules



include $RULE_PATH/attack-responses.rules

include $RULE_PATH/backdoor.rules

include $RULE_PATH/bad-traffic.rules

include $RULE_PATH/blacklist.rules

include $RULE_PATH/botnet-cnc.rules

include $RULE_PATH/chat.rules

include $RULE_PATH/community.rules

include $RULE_PATH/content-replace.rules

include $RULE_PATH/ddos.rules

include $RULE_PATH/dns.rules

include $RULE_PATH/dos.rules

include $RULE_PATH/exploit.rules

include $RULE_PATH/finger.rules

include $RULE_PATH/ftp.rules

include $RULE_PATH/icmp.rules

include $RULE_PATH/icmp-info.rules

include $RULE_PATH/imap.rules

include $RULE_PATH/info.rules

include $RULE_PATH/misc.rules

include $RULE_PATH/multimedia.rules

include $RULE_PATH/mysql.rules

include $RULE_PATH/netbios.rules

include $RULE_PATH/nntp.rules

include $RULE_PATH/oracle.rules

include $RULE_PATH/other-ids.rules

include $RULE_PATH/p2p.rules

include $RULE_PATH/phishing-spam.rules

include $RULE_PATH/policy.rules

include $RULE_PATH/pop2.rules

include $RULE_PATH/pop3.rules

include $RULE_PATH/rpc.rules

include $RULE_PATH/rservices.rules

include $RULE_PATH/scada.rules

include $RULE_PATH/scan.rules

include $RULE_PATH/shellcode.rules

include $RULE_PATH/smtp.rules

include $RULE_PATH/snmp.rules

include $RULE_PATH/specific-threats.rules

include $RULE_PATH/spyware-put.rules

include $RULE_PATH/sql.rules

include $RULE_PATH/telnet.rules

include $RULE_PATH/tftp.rules

include $RULE_PATH/virus.rules

include $RULE_PATH/voip.rules

include $RULE_PATH/web-activex.rules

include $RULE_PATH/web-attacks.rules

include $RULE_PATH/web-cgi.rules

include $RULE_PATH/web-client.rules

include $RULE_PATH/web-coldfusion.rules

include $RULE_PATH/web-frontpage.rules

include $RULE_PATH/web-iis.rules

include $RULE_PATH/web-misc.rules

include $RULE_PATH/web-php.rules

include $RULE_PATH/x11.rules





# decoder and preprocessor event rules

include $PREPROC_RULE_PATH/preprocessor.rules

include $PREPROC_RULE_PATH/decoder.rules

include $PREPROC_RULE_PATH/sensitive-data.rules



###################################################

# Step #9: Customize your Shared Object Snort Rules

# For more information, see
http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html

###################################################



# dynamic library rules

include $SO_RULE_PATH/bad-traffic.rules

include $SO_RULE_PATH/chat.rules

include $SO_RULE_PATH/dos.rules

include $SO_RULE_PATH/exploit.rules

include $SO_RULE_PATH/icmp.rules

include $SO_RULE_PATH/imap.rules

include $SO_RULE_PATH/misc.rules

include $SO_RULE_PATH/multimedia.rules

include $SO_RULE_PATH/netbios.rules

include $SO_RULE_PATH/nntp.rules

include $SO_RULE_PATH/p2p.rules

include $SO_RULE_PATH/smtp.rules

include $SO_RULE_PATH/sql.rules

include $SO_RULE_PATH/web-activex.rules

include $SO_RULE_PATH/web-client.rules

include $SO_RULE_PATH/web-iis.rules

include $SO_RULE_PATH/web-misc.rules





 This looks good. While Snort is running, if you tail snort.alert (tail
-f /var/log/snortlogs/snort.alert), do you see any data being added? Also,
when check the syslog (dependent on your Linux distro - /var/log/syslog or
/var/log/messages), do you see any alerts there?









*From:* Y M [mailto:snort () outlook com <snort () outlook com>]
*Sent:* Wednesday, July 16, 2014 2:39 PM
*To:* Farnsworth, Robert
*Cc:* snort-users
*Subject:* RE: [Snort-users] SNORT has stopped alerting



If more information is provided, you will get a better help:



1. Which output plugin are you using in your snort.conf (syslog, unified2,
etc..)?

2. Where are you outputting the alerts (directory, database, barnyard2)?

3. What is the final destination of the alerts (database, binary, text)?
4. How are you viewing the alert data (console, GUI)?

5. What are the rules/rules files included in snort.conf?



If this was double posted, I blame the browser!



YM
  ------------------------------

From: robert.farnsworth () hp com
To: snort-users () lists sourceforge net
Date: Wed, 16 Jul 2014 17:45:26 +0000
Subject: [Snort-users] SNORT has stopped alerting

I have stopped receiving ALERTs from snort, I have checked and yes it is
running, any troubleshooting tips would be appreciated.


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck Code
Sight - the same software that powers the world's largest code search on
Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list
Snort-users () lists sourceforge net Go to this URL to change user options
or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: