[Snort-devel] Snort 1.8.7 not logging - sometimes
leganza at ...1541...
Thu Aug 15 02:31:01 EDT 2002
The "not logging" problem reported for the FTP User Overflow rule in the below
link is not limited to just that rule, sid:1734.
I noticed the same problem yesterday, so I checked whether other packets were
logging correctly and found that 3 packets for rule sid:620 were not logged.
/etc/snort/scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN
Proxy \(8080\) attempt?; flags:S; classtype:attempted-recon; sid:620; rev:2;)
But the same source IP scanned for a Squid server, and those were logged
/etc/snort/scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN
Squid Proxy attempt?; flags:S; classtype:attempted-recon; sid:618; rev:2;)
And, a local rule for Code Red II was not logging at all. Yet it worked fine
/etc/snort/local.rules:alert tcp any any -> $HTTP_SERVERS 80 (msg:"Code Red II
attempt?; uricontent:?.ida?NNNNNNNN?; nocase; flags:A+;)
I've gone back to using Snort 1.8.6 and the logging is fine.
I had been running 1.8.7 since 1 Aug, but this appeared yesterday. Red Hat
updated glibc recently, so I rebuilt 1.8.7 today, yet the logging problem
Red Hat 7.2 all updates applied
Dell 4100 PIII 933Mhz 512memory
2 ea 3com NICs
The /etc/rc.d/init.d/snort start lines
case "$1" in
echo -n "Starting snort: "
daemon /usr/local/bin/snort -u snort -g snort -d -D -o -k none \
-i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf \
-m 027 -F /etc/snort/bpf-file -z
relevant lines from snort.conf
preprocessor stream4: detect_scans, disable_evasion_alerts, ttl_limit 0
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor portscan: $HOME_NET 10 4 portscan.log
preprocessor portscan-ignorehosts: [xxxxxxxxxxxxxx]
output alert_fast: alert
# include $RULE_PATH/porn.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
More information about the Snort-devel