[Snort-users] snort not logging

Rick Francis rfrancis at ...468...
Thu Nov 30 21:02:05 EST 2000


Script started on Thu 30 Nov 2000 10:23:02 AM CST
# pwd
/opt/MRsnort
# date
Thu Nov 30 10:23:03 CST 2000
# ls
07122000.latest-lib  CREDITS              netbios-lib          rpc-lib
USAGE
10102k.rules         ddos-lib             overflow-lib         RULES.SAMPLE
webcf-lib
AUTHORS              finger-lib           ping-lib             scan-lib
webcgi-lib
backdoor-lib         ftp-lib              prototype            smtp-lib
webfp-lib
BUGS                 init.snort           README               snort
webiis-lib
ChangeLog            latest-lib           README.FLEXRESP      snort-lib
webmisc-lib
contrib              man                  README.MRsnort       snort.debug
COPYING              misc-lib             README.PLUGINS       telnet-lib
# more latest-lib
#---------------------------------------------
# http://www.snort.org     Snort 1.6.3 Ruleset
#    Current Database Updated -- 10/10/2000
#Contact:  Jim Forster - jforster at ...176...
#---------------------------------------------
#   Ruleset Release Checked with newdupl.pl
#    available from http://www.norz.org
#---------------------------------------------
preprocessor http_decode: 80 82 443 8080
preprocessor minfrag: 128
preprocessor portscan: 146.237.50.130/25 3 5 /var/log/snort/snort.log
#preprocessor http_decode: 80 443 8080
#preprocessor minfrag: 128
#preprocessor portscan: 12.23.34.45/32 3 5 /var/log/snort_portscan.log
#                       ^^^^^^^^^^^    ^ ^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^
#                               |     | |              |
#Your IP address or Network here+     | |              |
#                                     | |              |
#Ammount of ports being connected-----+ |              |
#   in this                             |              |
#Interval (in seconds)------------------+              |
#                                                      |
#Log file (path/name)----------------------------------+

preprocessor portscan-ignorehosts: gvsun9 gvsun7
#preprocessor portscan-ignorehosts: Hosts to ignore in portscan detection

#---------------------------------------------
# CHANGE THE NEXT LINE TO REFLECT YOUR NETWORK
# (Single system = your ip/32)

var HOME_NET 146.237.50.128/25
#var HOME_NET yournet/subnet

#---------------------------------------------
# Ignore web traffic when visiting www.snort.org
pass tcp 205.164.217.39 80 <> any any
# Please run snort with the -o option to enable this pass rule
#---------------------------------------------
# cat S90snort
#!/bin/sh
# This shell script starts or stops snort depending on its first argument.
# If its first argument is "start", then snort is started.
# If its first argument is "stop", then snort is stopped.
# To set things up so that snort is automatically started when your
# system boots, do the following commands as root:
#
#    cp start_script /etc/init.d/snort
#    ln -s ../init.d/snort /etc/rc2.d/S90snort
#

PROGRAMDIR=/usr/local/sbin

PATH=/usr/bin
case $1 in
'start')
  # Start snort
  if [ -f $PROGRAMDIR/snort ] ; then
    echo "Starting snort...\c"
    umask 022
    $PROGRAMDIR/snort -A fast -c /opt/MRsnort/latest-lib -d -i
qfe0 -s -D -o -l /var/log/snort/snort.log
    echo "OK"
  fi
  ;;
'stop')
  # Stop snort
    echo "Stopping snort...\c"
    kill -TERM `cat /var/run/snort_qfe0.pid`
    echo "OK"
  ;;
*)
  # Usage
    echo "Usage: /etc/init.d/snort {start|stop}"
;;
esac
# ^D
script done on Thu 30 Nov 2000 10:23:41 AM CST

++++++++++++++++++++++++

note that i've tried this with and without -s (for syslog logging...with
works ok, but i keep getting messages to the console which i'm trying to
avoid). i've also tried different directories with 666 and 777 and in
different locations...but now as different users since root runs
snort...maybe snort should be run by another userid? i've also tried this
with and with the -l in latest-lib and in S90snort.

thanks for your time and help, rick.




More information about the Snort-users mailing list