Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Closed: Snort-users Digest, Vol 2, Issue 2

From: Dimz via Snort-users <snort-users () lists snort org>
Date: Mon, 3 Jul 2017 17:40:40 +0000 (UTC)
okay, I have found the culprit. It was the NTP service. since the VM is not connected to the internet, therefore the 
NTP service generates an error. After I have disabled the NTP service, the timestamp gets back to normal.
thanks.
-Dimz-


On Monday, July 3, 2017, 11:00:06 PM GMT+7, <snort-users-request () lists snort org> wrote:

Send Snort-users mailing list submissions to
    snort-users () lists snort org

To subscribe or unsubscribe via the World Wide Web, visit
    https://lists.snort.org/mailman/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
    snort-users-request () lists snort org

You can reach the person managing the list at
    snort-users-owner () lists snort org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
When responding, please don't respond with the entire Digest.  Please trim your response.
Today's Topics:

  1. Re: Snort Alert is Not Producing Any Timestamp (Dimz)
Hi,
I create an autostart script:/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -Q -D -m 120

This is the snort version:dimz@ubuntu:/var/log/snort$ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.9.0 GRE (Build 56)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.7.4
           Using PCRE version: 8.40 2017-01-11
           Using ZLIB version: 1.2.8

Thanks,
-Dimz-


On Monday, July 3, 2017, 9:52:52 PM GMT+7, Al Lewis (allewi) <allewi () cisco com> wrote:

Hello,
What command are you using to start snort?
What version of snort are you using?

Albert Lewis
 
ENGINEER.SOFTWARE ENGINEERING

SOURCEfire, Inc. now part of Cisco

Email: allewi () cisco com 

From: Snort-users <snort-users-bounces () lists snort org> on behalf of Dimz via Snort-users <snort-users () lists 
snort org>
Reply-To: Dimz <dimas_forever () yahoo com>
Date: Monday, July 3, 2017 at 6:57 AM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: [Snort-users] Snort Alert is Not Producing Any Timestamp

Hi Everybody,
I installed my snort 2.9 on Ubuntu server 16.04 on my VM. I installed my snort inline using NFQ from the following 
guide:http://sublimerobots.com/2017/06/snort-ips-with-nfq-routing-on-ubuntu/
The installation and the routing is successful, the ubuntu can forward packets and the snort can detect traffics. The 
only problem is, the alerts generated has no timestamp.
Attached is the snort --daq-listdimz@ubuntu:/var/log/snort$ snort --daq-list
Available DAQ modules: 
pcap(v3): readback live multi unpriv 
nfq(v7): live inline multi 
ipfw(v3): live inline multi unpriv 
dump(v3): readback live inline multi unpriv 
afpacket(v5): live inline multi unpriv 

The snort.conf:config daq: nfq 
config daq_dir: /usr/local/lib/daq 
config daq_mode: inline 
config daq_var: queue=4 

The iptables:dimz@ubuntu:/var/log/snort$ sudo iptables -vL
Chain INPUT (policy ACCEPT 2149 packets, 164K bytes) 
pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target     prot opt in     out     source               destination 
   16  1514 NFQUEUE    all  --  any    any     anywhere             anywhere             NFQUEUE num 4 bypass

Chain OUTPUT (policy ACCEPT 2046 packets, 173K bytes) 
pkts bytes target     prot opt in     out     source               destination 

The NAT iptables (for port forwarding a web server behind Snort machine):dimz@ubuntu:/var/log/snort$ sudo iptables -vL 
-t nat
Chain PREROUTING (policy ACCEPT 61 packets, 5536 bytes) 
pkts bytes target     prot opt in     out     source               destination 
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             tcp dpt:http-alt 
to:192.168.2.103:8080

Chain INPUT (policy ACCEPT 10 packets, 1888 bytes) 
pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 484 packets, 30252 bytes) 
pkts bytes target     prot opt in     out     source               destination 

Chain POSTROUTING (policy ACCEPT 485 packets, 30336 bytes) 
pkts bytes target     prot opt in     out     source               destination 
    2   202 MASQUERADE  all  --  any    ens33   anywhere             anywhere 

The server epoch time:dimz@ubuntu:/var/log/snort$ date +'%s'
1499079069

result from tcpdump (the timestamp is correct):dimz@ubuntu:/var/log/snort$ sudo tcpdump -i ens33 dst host 192.168.2.103
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 
17:51:58.297893 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 1, length 64
17:51:59.300042 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 2, length 64
17:52:00.304461 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 3, length 64
17:52:01.305757 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 4, length 64 

I output my snort alert into 2 outputs: alert.full and snort.u2. Here is the output from alert.full (I create a simple 
Ping Detection Rule):dimz@ubuntu:/var/log/snort$ tail -f alert.full
01/01-07:00:00.000000 192.168.174.129 -> 192.168.2.103 
ICMP TTL:63 TOS:0x0 ID:17418 IpLen:20 DgmLen:84 DF 
Type:8  Code:0  ID:2379   Seq:3  ECHO 

[**] [1:10000001:1] ICMP Test Detected [**] 
[Classification: Generic ICMP event] [Priority: 3] 
01/01-07:00:00.000000 192.168.174.129 -> 192.168.2.103 
ICMP TTL:63 TOS:0x0 ID:17470 IpLen:20 DgmLen:84 DF 
Type:8  Code:0  ID:2379   Seq:4  ECHO 

Here is the output from snort.u2:(Event) 
        sensor id: 0    event id: 7     event second: 0 event microsecond: 0 
        sig id: 10000001        gen id: 1       revision: 1      classification: 31
        priority: 3     ip source: 192.168.174.129      ip destination: 192.168.2.103
        src port: 8     dest port: 0    protocol: 1     impact_flag: 0  blocked: 0

Packet 
        sensor id: 0    event id: 7     event second: 0 
        packet second: 0        packet microsecond: 0 
        linktype: 228   packet_length: 84 
[    0] 45 00 00 54 44 3E 40 00 3F 01 C5 31 C0 A8 AE 81  E..TD>@.?..1.... 
[   16] C0 A8 02 67 08 00 2E 91 09 4B 00 04 6E 21 5A 59  ...g.....K..n!ZY 
[   32] 00 00 00 00 33 D2 05 00 00 00 00 00 10 11 12 13  ....3........... 
[   48] 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23  ............ !"# 
[   64] 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33  $%&'()*+,-./0123 
[   80] 34 35 36 37                                      4567 


Why timestamp is not detected???
Need Help please.I have been dealing with this issue for days, and I have been trying to do intensive google search to 
find similar issue but still no luck.
Thank you very much.
-Dimz-_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
https://lists.snort.org/mailman/listinfo/snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: