[Snort-devel] Snort 1.8.7 not logging - sometimes

Randy leganza at ...1541...
Thu Aug 15 02:31:01 EDT 2002


The "not logging" problem reported for the FTP User Overflow rule in the below 
link is not limited to just that rule, sid:1734.

http://marc.theaimsgroup.com/?l=snort-users&m=102815053415284&w=2

I noticed the same problem yesterday, so I checked whether other packets were 
logging correctly and found that 3 packets for rule sid:620 were not logged.

/etc/snort/scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN 
Proxy \(8080\) attempt?; flags:S; classtype:attempted-recon; sid:620; rev:2;)


But the same source IP scanned for a Squid server, and those were logged 
correctly.

/etc/snort/scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN 
Squid Proxy attempt?; flags:S; classtype:attempted-recon; sid:618; rev:2;)


And, a local rule for Code Red II was not logging at all.  Yet it worked fine 
before.

/etc/snort/local.rules:alert tcp any any -> $HTTP_SERVERS 80 (msg:"Code Red II 
attempt?; uricontent:?.ida?NNNNNNNN?; nocase; flags:A+;)


I've gone back to using Snort 1.8.6 and the logging is fine.

I had been running 1.8.7 since 1 Aug, but this appeared yesterday.  Red Hat 
updated glibc recently, so I rebuilt 1.8.7 today, yet the logging problem 
persisted

Red Hat 7.2 all updates applied
Dell 4100 PIII 933Mhz  512memory
2 ea  3com NICs


###
The /etc/rc.d/init.d/snort   start lines

case "$1" in
   start)
         echo -n "Starting snort: "
         daemon /usr/local/bin/snort -u snort -g snort -d -D -o -k none \
                 -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf \
                 -m 027 -F /etc/snort/bpf-file -z
         touch /var/lock/subsys/snort
         echo
         ;;


###
relevant lines from snort.conf

preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts, ttl_limit 0
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 10 4 portscan.log
preprocessor portscan-ignorehosts: [xxxxxxxxxxxxxx]

output alert_fast: alert

include classification.config
include $RULE_PATH/pass.rules
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/sql.rules
#include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
#include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
#include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules





More information about the Snort-devel mailing list