Snort mailing list archives
Re: Snort Alert is Not Producing Any Timestamp
From: Jan Hugo Prins <jhp () jhprins org>
Date: Thu, 17 Jan 2019 12:33:12 +0100
Hello, Did anyone find the cause of this issue? I might have the same issue. Startup command: snort --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/instance-1 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:0@2 --daq-var clusterid=0 --daq-var bindcpu=2 Version: ,,_ -*> Snort! <*- o" )~ Version 2.9.12 GRE (Build 325) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.8.1 Using PCRE version: 8.32 2012-11-30 Using ZLIB version: 1.2.7 I use pf_ring zc behind a fiber tap. Bro is running on a second copy of the same packets, and is properly adding timestamps to all registered connections / packets. Jan Hugo Prins On 7/3/17 4:58 PM, Dimz via Snort-users wrote:
Hi, I create an autostart script: /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -Q -D -m 120 This is the snort version: dimz@ubuntu:/var/log/snort$ snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.9.0 GRE (Build 56) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.7.4 Using PCRE version: 8.40 2017-01-11 Using ZLIB version: 1.2.8 Thanks, -Dimz- On Monday, July 3, 2017, 9:52:52 PM GMT+7, Al Lewis (allewi) <allewi () cisco com> wrote: Hello, What command are you using to start snort? What version of snort are you using? *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING SOURCE*fire*, Inc. now part of *Cisco* Email: allewi () cisco com <mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org <mailto:snort-users-bounces () lists snort org>> on behalf of Dimz via Snort-users <snort-users () lists snort org <mailto:snort-users () lists snort org>> Reply-To: Dimz <dimas_forever () yahoo com <mailto:dimas_forever () yahoo com>> Date: Monday, July 3, 2017 at 6:57 AM To: "snort-users () lists snort org <mailto:snort-users () lists snort org>" <snort-users () lists snort org <mailto:snort-users () lists snort org>> Subject: [Snort-users] Snort Alert is Not Producing Any Timestamp Hi Everybody, I installed my snort 2.9 on Ubuntu server 16.04 on my VM. I installed my snort inline using NFQ from the following guide: http://sublimerobots.com/2017/06/snort-ips-with-nfq-routing-on-ubuntu/ The installation and the routing is successful, the ubuntu can forward packets and the snort can detect traffics. The only problem is, the alerts generated has no timestamp. Attached is the snort --daq-list dimz@ubuntu:/var/log/snort$ snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv nfq(v7): live inline multi ipfw(v3): live inline multi unpriv dump(v3): readback live inline multi unpriv afpacket(v5): live inline multi unpriv The snort.conf: config daq: nfq config daq_dir: /usr/local/lib/daq config daq_mode: inline config daq_var: queue=4 The iptables: dimz@ubuntu:/var/log/snort$ sudo iptables -vL Chain INPUT (policy ACCEPT 2149 packets, 164K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 16 1514 NFQUEUE all -- any any anywhere anywhere NFQUEUE num 4 bypass Chain OUTPUT (policy ACCEPT 2046 packets, 173K bytes) pkts bytes target prot opt in out source destination The NAT iptables (for port forwarding a web server behind Snort machine): dimz@ubuntu:/var/log/snort$ sudo iptables -vL -t nat Chain PREROUTING (policy ACCEPT 61 packets, 5536 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- any any anywhere anywhere tcp dpt:http-alt to:192.168.2.103:8080 Chain INPUT (policy ACCEPT 10 packets, 1888 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 484 packets, 30252 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 485 packets, 30336 bytes) pkts bytes target prot opt in out source destination 2 202 MASQUERADE all -- any ens33 anywhere anywhere The server epoch time: dimz@ubuntu:/var/log/snort$ date +'%s' 1499079069 result from tcpdump (the timestamp is correct): dimz@ubuntu:/var/log/snort$ sudo tcpdump -i ens33 dst host 192.168.2.103 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 17:51:58.297893 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 1, length 64 17:51:59.300042 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 2, length 64 17:52:00.304461 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 3, length 64 17:52:01.305757 IP 192.168.174.129 > 192.168.2.103: ICMP echo request, id 2379, seq 4, length 64 I output my snort alert into 2 outputs: alert.full and snort.u2. Here is the output from alert.full (I create a simple Ping Detection Rule): dimz@ubuntu:/var/log/snort$ tail -f alert.full *01/01-07:00:00.000000 *192.168.174.129 -> 192.168.2.103 ICMP TTL:63 TOS:0x0 ID:17418 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:2379 Seq:3 ECHO [**] [1:10000001:1] ICMP Test Detected [**] [Classification: Generic ICMP event] [Priority: 3] *01/01-07:00:00.000000* 192.168.174.129 -> 192.168.2.103 ICMP TTL:63 TOS:0x0 ID:17470 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:2379 Seq:4 ECHO Here is the output from snort.u2: (Event) sensor id: 0 event id: 7 event second: 0 event microsecond: 0 sig id: 10000001 gen id: 1 revision: 1 classification: 31 priority: 3 ip source: 192.168.174.129 ip destination: 192.168.2.103 src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 7 event second: 0 packet second: 0 packet microsecond: 0 linktype: 228 packet_length: 84 [ 0] 45 00 00 54 44 3E 40 00 3F 01 C5 31 C0 A8 AE 81 E..TD>@.?..1.... [ 16] C0 A8 02 67 08 00 2E 91 09 4B 00 04 6E 21 5A 59 ...g.....K..n!ZY [ 32] 00 00 00 00 33 D2 05 00 00 00 00 00 10 11 12 13 ....3........... [ 48] 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 ............ !"# [ 64] 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 $%&'()*+,-./0123 [ 80] 34 35 36 37 4567 Why timestamp is not detected??? Need Help please. I have been dealing with this issue for days, and I have been trying to do intensive google search to find similar issue but still no luck. Thank you very much. -Dimz- _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Re: Snort Alert is Not Producing Any Timestamp Jan Hugo Prins (Jan 17)
- Re: Snort Alert is Not Producing Any Timestamp Jan Hugo Prins (Jan 17)