Snort mailing list archives
Re: log files empty
From: "Rodgers, Anthony (DTMB)" <RodgersA1 () michigan gov>
Date: Mon, 14 Mar 2016 13:15:20 +0000
Also, significantly close to 100% of your Facebook traffic will be over SSL... -- Anthony Rodgers Security Analyst Michigan Security Operations Center (MiSOC) DTMB, Michigan Cyber Security -----Original Message----- From: wkitty42 () windstream net [mailto:wkitty42 () windstream net] Sent: Sunday, March 13, 2016 17:50 To: snort-users () lists sourceforge net Subject: Re: [Snort-users] log files empty On 03/13/2016 04:39 PM, Mark Cole wrote:
I have installed snort on ElementaryOS in a VM on a Mac (with Parallels). I have configured snort to use alert logging and packet logging via snort.conf. I have a very simple rule setup that alerts if any outgoing facebook connection. When I go to facebook I see the activity on the Snort console but nothing gets written to the logs. I think I have read every web page that I can find through Google on “snort log empty” or “snort log zero”. I have tried all of the recommendations that I can find. I can see the logrotate works because it creates a new snort.log.xxxxxxx every time I run snort - but they are always empty too. Help! This is what my rule looks like: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Facebook Web Request"; sid:9999; content:"facebook";flow:to_server,established;)
that rule won't do what you actually intend it to do... it will/should, in fact, alert on any occurrence of your content on any traffic originating on your network and flowing to any server on port 80 outside your local network... it does not signify that a request to any facebook domain has been established... for example, reading this message on a html accessed webmail account and replying to it will trigger your rule...
My snort.conf has these relevant entries: config logdir: /var/log/snort output alert_unified2: filename snort.alert, limit 128, nostamp output log_unified2: filename snort.log, limit 128, nostamp ##I have tried taking nostamp out based on one article I read with no change
you have not given us your command line or other necessary information... https://www.snort.org/faq/how-do-i-ask-a-good-question-on-the-snort-list -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- log files empty Mark Cole (Mar 13)
- Re: log files empty wkitty42 (Mar 13)
- Re: log files empty Rodgers, Anthony (DTMB) (Mar 14)
- Re: log files empty wkitty42 (Mar 13)