Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: not logging data

From: Sharif Uddin <Sharif.Uddin () spectrumasa com>
Date: Wed, 10 Sep 2014 10:18:12 +0000
Yes I did full make make install



I think I misunderstood strace.


[root@snort snort]# ps -eaf | grep snort
avahi      659     1  0 10:48 ?        00:00:00 avahi-daemon: running [snort.local]
root      2622  2529  0 10:51 pts/1    00:00:00 tail -f /var/log/messages /var/log/mariadb/mariadb.log 
/var/log/snort/alert
root      2711     1  3 10:51 ?        00:00:42 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w 
/var/log/snort/barnyard2.waldo
snort     3184     1  4 11:08 ?        00:00:13 snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens34 -D
root      3371  2625  0 11:14 pts/2    00:00:00 grep --color=auto snort


Snort and barnyard running. My log files are empty


[root@snort snort]# pwd
/var/log/snort
[root@snort snort]# ll
total 8
-rw-r--r-- 1 snort snort    0 Sep  9 15:35 alert
-rw-rw-r-- 1 snort snort 2056 Sep 10 11:08 barnyard2.waldo
-rw-r--r-- 1 snort snort 2056 Sep  8 16:58 barnyard2.waldo-20140907
-rw------- 1 snort snort    0 Sep 10 11:02 snort.u2.1410343376
-rw------- 1 snort snort    0 Sep 10 11:04 snort.u2.1410343496
-rw------- 1 snort snort    0 Sep 10 11:08 snort.u2.1410343717




[root@snort snort]# strace -fp 3184
Process 3184 attached with 2 threads
[pid  3185] restart_syscall(<... resuming interrupted call ...> <unfinished ...>
[pid  3184] restart_syscall(<... resuming interrupted call ...>) = 1
[pid  3184] brk(0)                      = 0x148bc000
[pid  3184] brk(0x148dd000)             = 0x148dd000
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000) = 1 ([{fd=4, revents=POLLIN}])
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000) = 1 ([{fd=4, revents=POLLIN}])
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000) = 1 ([{fd=4, revents=POLLIN}])
[pid  3184] brk(0)                      = 0x148dd000
[pid  3184] brk(0x148fe000)             = 0x148fe000
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000) = 1 ([{fd=4, revents=POLLIN}])
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000) = 1 ([{fd=4, revents=POLLIN}])
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000) = 1 ([{fd=4, revents=POLLIN}])
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000) = 1 ([{fd=4, revents=POLLIN}])
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000) = 1 ([{fd=4, revents=POLLIN}])
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000) = 1 ([{fd=4, revents=POLLIN}])
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000) = 1 ([{fd=4, revents=POLLIN}])
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000) = 1 ([{fd=4, revents=POLLIN}])
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000 <unfinished ...>
[pid  3185] <... restart_syscall resumed> ) = 0
[pid  3185] rt_sigprocmask(SIG_BLOCK, [CHLD], ~[KILL STOP RTMIN RT_1], 8) = 0
[pid  3185] nanosleep({1, 0},  <unfinished ...>
[pid  3184] <... poll resumed> )        = 1 ([{fd=4, revents=POLLIN}])
[pid  3184] brk(0)                      = 0x148fe000
[pid  3184] brk(0x1491f000)             = 0x1491f000
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000) = 1 ([{fd=4, revents=POLLIN}])
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000) = 1 ([{fd=4, revents=POLLIN}])
[pid  3184] poll([{fd=4, events=POLLIN}], 1, 1000^CProcess 3184 detached
 <detached ...>
Process 3185 detached




Without changing any configurations to snort I should be getting thousands of alerts as I did when I 1st set it up.



-----Original Message-----
From: waldo kitty [mailto:wkitty42 () windstream net]
Sent: 10 September 2014 01:35
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] cannot decode data link type 239

On 9/9/2014 1:01 PM, Sharif Uddin wrote:

I have just tried and made no difference. Strace still gives me



probably a stupid question but after running

./configure --enable-non-ether-decoders

you did also run the complete make and installation cycles, right?


--
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or 
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, 
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify 
the sender immediately and delete the original message without making any copies. Copyright in this email and any 
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses 
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered 
office: 95 Aldwych, London WC2B 4JF.

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: