[Snort-sigs] Only an empty Alert file :(

Joel Esler jesler at ...435...
Tue Mar 13 09:38:38 EDT 2012


-c means you are running Snort in IDS mode

--
Joel Esler

On Mar 13, 2012, at 9:30 AM, "Dean Farwood" <dean_farwood at ...1143...> wrote:

> Joel,
>  
> Thanks for your interest.
>  
> I followed your advice and logged the session as –K pcap. I checked the capture on Wireshark and indeed, the word “password” is included in one of the frames.
>  
> Interestingly I had to use the command
> snort –dev –l /etc/snort/log2 –K pcap
>  
> When I tried the command
> snort –dev –c /etc/snort/snort.conf –l /etc/snort/log2 –K pcap
> nothing was logged except that darned empty alert file.
>  
> I wish I knew why adding the –c argument messes up logging?
>  
> Dean
> From: Joel Esler [mailto:jesler at ...435...] 
> Sent: Monday, March 12, 2012 5:35 AM
> To: Dean Farwood
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Only an empty Alert file :(
>  
> I suggest you capture the packet to disk.  Then you can use Snort to read the pcap with -r.
>  
> You need to review the pcap to see if the word "password" really does exist in plaintext in the stream.
>  
>  
> I am betting it doesn't.
>  
> J
>  
> On Mar 11, 2012, at 6:40 PM, Dean Farwood wrote:
> 
> 
> Hello,
>  
> I’m running Snort 2.8.5.2 (Build 121) on Ubuntu 11.10 with 3.0.0-16-generic kernel.
>  
> I have written the following rule called /etc/snort/rules/password.rules:
>  
> alert tcp any any <> 192.168.1.110 any (content:”password”; msg:”Potential Password Violation”; sid: 11995522;)
>  
> My snort command is:
> snort -dev -c /etc/snort/snort.conf -l /etc/snort/log2 -K ascii
>  
> I then transfer a file with the word “password” in it from the Linux system to a Windows system using Samba. The packets are captured as evidenced by the terminal display. The Windows system successfully authenticates to Samba and the file can be viewed on the Windows system.
>  
> PROBLEM: No directories are created in the /etc/snort/log2 directories. Only an empty “Alert” file appears.
>  
> If I run a command like:
>  
> snort –dev –l /etc/snort/log2 –K ascii
>  
> I get normal logging directories with IP address directory names etc.
>  
> This command also results in nothing in /etc/snort/log2 except the empty alert file.
> snort –dev –c /etc/snort/rules/password.rules –l /etc/snort/log2 –K ascii
>  
> REQUEST: Any help I can get to allow proper logging when using the –c option would be much appreciated.
>  
> Thanks,
>  
> Dean
>  
>  
>  
>  
>  
>  
> snort -dev -c /etc/snort/snort.conf -l /etc/snort/log2 -K ascii
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing 
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
>  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120313/a88dd955/attachment.html>


More information about the Snort-sigs mailing list