[Snort-users] SNORT Logging for LRP (Linux Router Project)

Joe Magee me at ...297...
Fri Oct 13 00:07:09 EDT 2000


Hey all... I'm trying to get SNORT configured on my Linux Router Project box. I downloaded the binary and it all installed ok, it seems like snort is picking up traffic fine its just that I don't get any logs. 

I've tried:
snort -v -e -c /etc/snort/snort-lib -l /var/log/snort/ -i eth1 -D
Result: Empty /var/log/snort/ directory seems like nothings logging.

I also tried:
snort -v -e -c /etc/snort/snort-lib -s -i eth1 -D
Result: nothing is going to syslog.

Here is some info:
# http_decode takes the port numbers that it's going to analyze as arguments
# traffic on these ports will be sent through the http_decode routine for
# normalization

preprocessor http_decode: 80 443     #8080

# minfrag takes the minimum fragment size (in bytes) threshold as its argument
# fragmented packets at of below this size will cause an alert to be generated

preprocessor minfrag: 128

# set the HOME_NET variable for your own network
# commented out for LRP startup script
#var HOME_NET 24.180.97.145/32
var HOME_NET 24.180.97.0/24

include web-lib                                 
include overflow-lib                            
include misc-lib
include scan-lib
include backdoor-lib

##################################
# alert on interesting packets
##################################

# new rules for detection source port traffic
alert icmp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";)
alert icmp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";)
alert tcp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";)
alert tcp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";) 
alert udp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";) 
alert udp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";) 

<< EOF >>

#File "/etc/snort/snort.options" 766 bytes read.  Press F1 to toggle #help.
#
# The snort basic configuration file
#

# Do you want to run snort on not? YES/NO
SNORT_RUN=YES

# The interface snort is to run on
SNORT_IF=eth1

# Run snort in promiscuous mode? YES/NO
SNORT_PROMISCUOUS=YES

# Snort's main library file
SNORT_LIB=/etc/snort/snort-lib

# Apply filter rules in reverse order, Pass->Alert->Log instead of
# Alert->Pass->Log.  this allows people to avoid having to make make
# big BPF command line arguments to filter their Alert rules YES/NO
SNORT_RULE_REVERSE=NO

# Snort's Home network segment (where you are listening)
SNORT_HOMENET=24.180.97.0/24

# Logging to data files? YES/NO - Turn this off iff you dn't have tha much
# RAM drive space
SNORT_FILELOG=YES

# How long to keep snort log history for
SNORT_KEEPFOR=7  # days

<< EOF >>

-*> Snort! <*-
Version 1.5.patch1
By Martin Roesch (roesch at ...66..., www.clark.net/~roesch)

USAGE: snort [-options] <filter options>
Options:
        -A         Set alert mode: fast, full, or none  (alert file alerts only)
                  "unsock" enables UNIX socket logging (experimental).
        -a         Display ARP packets
        -b         Log packets in tcpdump format (much faster!)
        -c <rules> Use Rules File <rules>
        -d         Dump the Application Layer
        -D         Run Snort in background (daemon) mode
        -e         Display the packet Ethernet addresses
        -F <bpf>   Read BPF filters from file <bpf>
        -h <hn>    Home network = <hn>
        -i <if>    Listen on interface <if>
        -l <ld>    Log to directory <ld>
        -M <wrkst> Sends SMB message to workstations in file <wrkst>
                   (Requires smbclient to be in PATH)
        -n <cnt>   Exit after receiving <cnt> packets
        -N         Turn off logging (alerts still work)
        -o         Change the rule testing order to Pass|Alert|Log
        -p         Disable promiscuous mode sniffing
        -r <tf>    Read and process tcpdump file <tf>
        -s         Log alert messages to syslog
        -S <n=v>   Set rules file variable n equal to value v
        -v         Be verbose
        -V         Show version number
        -x         Display IPX packets
        -?         Show this information
<Filter Options> are standard BPF options, as seen in TCPDump


Thanks!!!!


Joe Magee





More information about the Snort-users mailing list