[Snort-users] SNORT Logging for LRP (Linux Router Project)

Guy Bruneau bruneau at ...126...
Fri Oct 13 05:32:41 EDT 2000


Joe,

You should probably update to version 1.6.3. I think there was some bugs with version 1.5

Guy

Joe Magee wrote:

> Hey all... I'm trying to get SNORT configured on my Linux Router Project box. I downloaded the binary and it all installed ok, it seems like snort is picking up traffic fine its just that I don't get any logs.
>
> I've tried:
> snort -v -e -c /etc/snort/snort-lib -l /var/log/snort/ -i eth1 -D
> Result: Empty /var/log/snort/ directory seems like nothings logging.
>
> I also tried:
> snort -v -e -c /etc/snort/snort-lib -s -i eth1 -D
> Result: nothing is going to syslog.
>
> Here is some info:
> # http_decode takes the port numbers that it's going to analyze as arguments
> # traffic on these ports will be sent through the http_decode routine for
> # normalization
>
> preprocessor http_decode: 80 443     #8080
>
> # minfrag takes the minimum fragment size (in bytes) threshold as its argument
> # fragmented packets at of below this size will cause an alert to be generated
>
> preprocessor minfrag: 128
>
> # set the HOME_NET variable for your own network
> # commented out for LRP startup script
> #var HOME_NET 24.180.97.145/32
> var HOME_NET 24.180.97.0/24
>
> include web-lib
> include overflow-lib
> include misc-lib
> include scan-lib
> include backdoor-lib
>
> ##################################
> # alert on interesting packets
> ##################################
>
> # new rules for detection source port traffic
> alert icmp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";)
> alert icmp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";)
> alert tcp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";)
> alert tcp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";)
> alert udp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";)
> alert udp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";)
>
> << EOF >>
>
> #File "/etc/snort/snort.options" 766 bytes read.  Press F1 to toggle #help.
> #
> # The snort basic configuration file
> #
>
> # Do you want to run snort on not? YES/NO
> SNORT_RUN=YES
>
> # The interface snort is to run on
> SNORT_IF=eth1
>
> # Run snort in promiscuous mode? YES/NO
> SNORT_PROMISCUOUS=YES
>
> # Snort's main library file
> SNORT_LIB=/etc/snort/snort-lib
>
> # Apply filter rules in reverse order, Pass->Alert->Log instead of
> # Alert->Pass->Log.  this allows people to avoid having to make make
> # big BPF command line arguments to filter their Alert rules YES/NO
> SNORT_RULE_REVERSE=NO
>
> # Snort's Home network segment (where you are listening)
> SNORT_HOMENET=24.180.97.0/24
>
> # Logging to data files? YES/NO - Turn this off iff you dn't have tha much
> # RAM drive space
> SNORT_FILELOG=YES
>
> # How long to keep snort log history for
> SNORT_KEEPFOR=7  # days
>
> << EOF >>
>
> -*> Snort! <*-
> Version 1.5.patch1
> By Martin Roesch (roesch at ...66..., www.clark.net/~roesch)
>
> USAGE: snort [-options] <filter options>
> Options:
>         -A         Set alert mode: fast, full, or none  (alert file alerts only)
>                   "unsock" enables UNIX socket logging (experimental).
>         -a         Display ARP packets
>         -b         Log packets in tcpdump format (much faster!)
>         -c <rules> Use Rules File <rules>
>         -d         Dump the Application Layer
>         -D         Run Snort in background (daemon) mode
>         -e         Display the packet Ethernet addresses
>         -F <bpf>   Read BPF filters from file <bpf>
>         -h <hn>    Home network = <hn>
>         -i <if>    Listen on interface <if>
>         -l <ld>    Log to directory <ld>
>         -M <wrkst> Sends SMB message to workstations in file <wrkst>
>                    (Requires smbclient to be in PATH)
>         -n <cnt>   Exit after receiving <cnt> packets
>         -N         Turn off logging (alerts still work)
>         -o         Change the rule testing order to Pass|Alert|Log
>         -p         Disable promiscuous mode sniffing
>         -r <tf>    Read and process tcpdump file <tf>
>         -s         Log alert messages to syslog
>         -S <n=v>   Set rules file variable n equal to value v
>         -v         Be verbose
>         -V         Show version number
>         -x         Display IPX packets
>         -?         Show this information
> <Filter Options> are standard BPF options, as seen in TCPDump
>
> Thanks!!!!
>
> Joe Magee
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list