Re: log files empty

["Rodgers, Anthony (DTMB)" <RodgersA1 () michigan gov>]

Also, significantly close to 100% of your Facebook traffic will be over SSL...

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

-----Original Message-----
From: wkitty42 () windstream net [mailto:wkitty42 () windstream net] 
Sent: Sunday, March 13, 2016 17:50
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] log files empty

On 03/13/2016 04:39 PM, Mark Cole wrote:
> I have installed snort on ElementaryOS in a VM on a Mac (with 
> Parallels). I have configured snort to use alert logging and packet 
> logging via snort.conf. I have a very simple rule setup that alerts if 
> any outgoing facebook connection. When I go to facebook I see the 
> activity on the Snort console but nothing gets written to the logs. I 
> think I have read every web page that I can find through Google on 
> “snort log empty” or “snort log zero”. I have tried all of the 
> recommendations that I can find. I can see the logrotate works because 
> it creates a new snort.log.xxxxxxx every time I run snort - but they are always empty too.  Help!
>
> This is what my rule looks like:
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Facebook Web 
> Request"; sid:9999; content:"facebook";flow:to_server,established;)

that rule won't do what you actually intend it to do... it will/should, in fact, alert on any occurrence of your 
content on any traffic originating on your network and flowing to any server on port 80 outside your local network... 
it does not signify that a request to any facebook domain has been established... 
for example, reading this message on a html accessed webmail account and replying to it will trigger your rule...

> My snort.conf has these relevant entries:
> config logdir: /var/log/snort
> output alert_unified2: filename snort.alert, limit 128, nostamp output 
> log_unified2: filename snort.log, limit 128, nostamp
>
> ##I have tried taking nostamp out based on one article I read with no 
> change

you have not given us your command line or other necessary information...

https://www.snort.org/faq/how-do-i-ask-a-good-question-on-the-snort-list

--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!