[Snort-users] Snort FAQ

Dragos Ruiu dr at ...381...
Thu Jan 4 17:39:27 EST 2001


SNORT FAQ Version 1.7 - January 03 2001 v1.7.2

Suggestions for enhancements of this document are
always welcome please email them to Dragos Ruiu at 
dr at ...381...

The following people have contributed to this faq:

Marty Roesch
Fyodor Yarochkin
Dragos Ruiu
Jed Pickel
Max Vision
Michael Davis
Joe McAlerney
Joe Stewart
Erek Adams
Roman Danyliw
Christopher Cramer

Frequently Asked Questions about "snort"


Q: How do you pronounce the names of some of these guys who work on snort?
Q: Is Fyodor Yarochkin the same Fyodor who wrote nmap?
Q: How do I run snort?
Q: Where are my log files located?  What are they named?
Q: Where's a good place to physically put a Snort sensor?
Q: I'm on a switched network, can I still use Snort?
Q: I'm getting large amounts of <some alerts type>. What should I do?  Where
   can I go to find out more about it?
Q: What about all these false alarms?
Q: What are all these ICMP files in subdirectories under /var/log/snort?
Q: My network spans multiple subnets.  How do I define HOME_NET?
Q: I have one network card and two aliases, how can I force snort to "listen"
  on both addresses ? 
Q: How do I ignore traffic coming from a particular host or hosts?
Q. Why does the portscan plugin log "stealth" packets even though the
   host is in the portscan-ignorehosts list?
Q: Why are there no subdirectories under /var/log/snort for IP addresses?
Q: How do I run snort on an interface with no IP address?
Q: Libpcap complains about permissions problems, what's going on?
Q: Why does snort complain about /var/log/snort?
Q: How do you get snort to ignore some traffic?
Q: Why does the portscan plugin log "stealth" packets even though the host
is in portscan-ignorehosts?    
Q: Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set?
Q: I think I found a bug in snort. Now what?
Q: Does Snort handle IP defragmentation?
Q: Snort says "Garbage Packet with Null Pointer discarded!". Huh?
Q: I've got RedHat and ....
Q: How do I setup snort on a 'stealth' interface?
Q: I Want to build a snort box.  Will this <Insert List> handle <this much> traffic?
Q: What are CIDR netmasks?
Q: Where do I get the latest version of libpcap?
Q: What are these IDS codes in the alert names?
Q: Snort says BACKDOOR SIGNATURE... does my machine have a Trojan?
Q: What about "CGI Null Byte attacks"?
Q: Where can I get more reading and coursed about IDS?
Q: How do I log to multiple databases?
Q: What are all these "ICMP destination unreachable" alerts?
Q: Why does building snort complain about missing references?
Q: Why does building snort fail with errors about yylex and lex_init?
Q: What is the use of the "-r" switch to read tcpdump files? 
Q: How do I get Snort to log the packet payload as well as the header? 
Q: Does Snort log the full packets that it generates alerts on? 
Q: Why does the program generate alerts on packets that have pass rules? 
Q: Does Snort perform TCP stream reassembly? 
Q: SMB alerts aren't working, what's wrong? 
Q: How can I test snort without having an ethnernet card or a connection to
   other computers? 
Q: I'm having problems getting snort to log to a database...
Q: Where do I get more help on snort?
Q: How to start snort as a win32 service?
Q: How do I process those snort logs into HTML reports?
Q: Why do certain alerts seem to have 'unknown' IPs in ACID? 
Q: Why does the 'error deleting alert' message occur when attempting to delete
   an alert with ACID? 
Q: ACID appears to be broken in Lynx 
Q: Can priorities be assigned to Alerts using ACID? 
Q: My ACID db connection times-out when performing long operations (e.g.
   deleting a large number of alerts) 
Q: Why does snort report "Packet loss statistics are unavailable under Linux"?
Q: What the heck is a SYNFIN scan?
Q: What about 'SMB Name Wildcard' alerts?
Q: Which takes precedence, commandline or rule file ?
Q: My /var/log/snort directory gets very large.....
Q: Is it possible with snort to add a ipfilter/ipfw rule to a firewall?
Q: How can I run snort on multiple interfaces simultaneously.
Q: I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings, what's wrong.
Q: IP address is assigned dynamically to my interface, can I use snort with it?
Q: On HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid argument
Q: I am getting snort dying with 'can not create file' error and I have plenty of diskspace, what's wrong?


--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do you pronounce the names of some of these guys who work on snort?

A: For the record, 'Roesch' is pronounced like 'fresh' without the 'f'.
   Additionally, 'Ruiu' is pronounced like 'screw you' without the 'sc'.  And
   Jed's last name is like "pick-el", not "pickle". :)

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Is Fyodor Yarochkin the same Fyodor who wrote nmap?

A: Nope. fyodor at ...306... is the author of nmap, and he uses the
   same pseudonym as other snort Fyodor's real surname. Yeah, messes up
   my mailbox too, but I think it's to late to change either of them :-).

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I run snort?

a: Run Snort in sniffer mode (snort -dvi eth0) and make sure it can see the
   packets.  Then run it with the HOME_NET set appropriately for the network
   you're defending in your rules file.  A default rules file comes with the
   snort distribution and is called "snort-lib" You can run this basic ruleset
   with the following command line:
  
   snort -Afull -c snort-lib

   If it's all set right, once it's running do an "ifconfig -a" and make sure
   the interface is in promiscuous mode (it'll say so in the options section of
   the printout).  If it's not, there should be a way to set it manually. 
  
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where are my log files located?  What are they named?

A: If you specified a logging directory with the -l parameter then that is
   where your files are located.  If you did not specify a logging directory
   then Snort will log to /var/log/snort/.

   In the past, running Snort in daemon mode (-D) produced a file named
   "snort.alert".  For consistency sake, this has been changed. Running
   Snort in both standard or daemon modes (-D) will produce a file named
   "alert".

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where's a good place to physically put a Snort sensor?

A:  This is going to be heavily influenced by your organizations policy, and
    what you want to detect.  One way of looking at it is determining if you
    want to place it inside or outside your firewall.  Placing an IDS outside
    of your firewall will allow you monitor all attacks directed at your
    network, regardless of whether or not they are stopped at the firewall.
    This almost certainly means that the IDS will pick up on more events
    than an IDS inside the firewall, and hence more logs will be generated.
    Place an IDS inside your firewall if you are only interested in monitoring
    traffic that your firewall let pass.  If resources permit, it may be best
    to place one IDS outside and one IDS inside of your firewall.  This way
    you can watch for everything directed at your network, and anything that
    made it's way in.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I'm on a switched network, can I still use Snort?

A: This depends on the type of switch you have.  If it can mirror traffic, you
   can direct it to the port that your Snort box is on.
  
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I'm getting large amounts of <some alerts type>. What should I do?  Where
   can I go to find out more about it?

A: Some rules are more prone to producing false positives than others.     
   This often varies between networks.  You first need to determine if it
   is indeed a false positive.  Some rules are referenced with ID numbers.
   The following are some common identification systems, and where to go
   to find more information about a particular alert.

   System      Example        URL
   ---------------------------------------------------------------
   IDS         IDS182         http://www.whitehats.com/IDS/182
   CVE         CVE-2000-0138  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0138
   Bugtraq     BugtraqID 1    http://www.securityfocus.com/vdb/bottom.html?vid=1
   McAfee      Mcafee 10225   http://vil.nai.com/vil/dispVirus.asp?virus_k=10225

   It may be necessary to examine the packet payload to determine if the
   alert is a false positive.  The packet payload is logged using the -d
   option.  If you determine the alerts are false positives, you may want
   to write pass rules for machines that are producing a large number of them.
   If the rule is producing an unmanageable amount of false positives from
   a number of different machines, you could pass on the rule for all traffic.
   This should be used as a last resort.


--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What about all these false alarms?

A: Most think that a pile of false positives is infinitely preferable. Then
   people can turn off what they don't want. The reverse, having a small rule
   set, can lure people into complacency thinking that Snort is doing "its
   thing" and there is nothing to worry about.
 
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are all these ICMP files in subdirectories under /var/log/snort?

A: Most of them are likely destination unreachable and port unreachables that
   were detected by snort when a communications session attempt fails.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: My network spans multiple subnets.  How do I define HOME_NET?

A: Snort 1.7 supports IP lists.  You can assign a number of addresses to
   a single variable.  For example:

     var HOME_NET [10.1.1.0/24,192.168.1.0/24]

   NOTE: Not all preprocessors support IP lists at this time.  Unless
   otherwise stated, assume that any preprocessor using an IP list variable
   will use the first value as the HOME_NET.  The portscan preprocessor
   is an example.  To catch all detectable portscans, pass 0.0.0.0/0 in
   as the first parameter.

   preprocessor portscan: 0.0.0.0/0 5 3 portscan.log

   Use the portscan-ignorhosts preprocessor to fine tune and ignore
   traffic from noisy, trusted machines.


--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I have one network card and two aliases, how can I force snort to "listen"
  on both addresses ? 


a: If you're using at least version 1.7, you can specify an IP list like
   this:

	var HOME_NET [192.168.<your-IP>/24,<Internet address>/32]

   If you're using something older (version 1.6.3-patch2 or whatever) you can
   re-specify the HOME_NET variable multiple times like this (for example):

	var HOME_NET 10.1.1.0/24

	include scan-lib
	etc.

	var HOME_NET 192.168.1.0/24

	include scan-lib
	etc.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I ignore traffic coming from a particular host or hosts?

A: Write pass rules and add the host(s) to the portscan-ignorehosts list.
   Call Snort with the -o option to activate the pass rules.
   See http://www.snort.org/writing_snort_rules.htm for more information.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q. Why does the portscan plugin log "stealth" packets even though the
   host is in the portscan-ignorehosts list?

A. These types of tcp packets are inherently suspicious, no matter where
   they are coming from.  The portscan detector was built with the assumption
   that "stealth" packets should be reported, even from hosts which are not
   monitored for portscanning.  An option to ignore "stealth" packets may be
   added in the future.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why are there no subdirectories under /var/log/snort for IP addresses?

A: It depends on how your snort configuration logs. If it logs in binary
   format, you'll have to process the binary log in order to get cleartext

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I run snort on an interface with no IP address?

A: ifconfig ethN up
 
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Libpcap complains about permissions problems, what's going on?

A: You are either not running snort as root or your kernel
   is not configured correctly.
                                                                    
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does snort complain about /var/log/snort?

A: It requires this directory to log alerts to it.
   Use: mkdir /var/log/snort

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do you get snort to ignore some traffic?

A1: Specify bpf filters on the command line the tcpdump man page
    has a description of bpf filters.
A2: Use a pass rule
A3: The portscan preprocessor has it's own special exclusion list
    with the portscan-ignorehosts.rules file directive

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does the portscan plugin log "stealth" packets even though the host
   is in portscan-ignorehosts?    

A: Because that's the way it was made. :-) No, because these types of tcp
   packets are inherently suspicious, no matter where they are coming from. 

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set?

A:  One of the reasons it alerts on a PA flags is to minimize the false
    positive. You will only get an alert upon successful connections. If you
    want to see all the attempts, you either have to modify the signatures, add
    you own signatures or use your firewall logs to see if an attempt to
    specific a port occurred.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q:  I think I found a bug in snort. Now what?

A:  get some more diagnostic information and post it to "snort-users" at
    http://www.sourceforge.net

    To get diagnostic information compile snort as either:

	make clean; make CFLAGS=-ggdb

	or
	make clean; make "CFLAGS=-ggdb -DDEBUG"

    trace coredump as:

	gdb /path/to/snort /path/to/snort/core

	gdb> where
	gdb> bt
	gdb> print $varname, varname, $$varname etc..

    or if corefile isn't generated snort should be started as

	gdb snort

	gdb> run <snort args without -D switch :-)>
				
  
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Does Snort handle IP defragmentation?

A: Yes, use "preprocessor defrag"
   Snort also currently has the "minfrag" rule option available that looks for
   tiny fragments and can generate alerts based upon the size of the fragments
   alone.  This is a valid strategy because there is virtually no commercially
   available network equipment that fragments packets smaller than 256 bytes,
   while most hacking packages that try to mask their traffic with fragments
   make them as small as possible.  The minfrag option allows you to specify a
   fragment size threshold below which Snort will generate alerts. 
                      

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Snort says "Garbage Packet with Null Pointer discarded!". Huh?

A:  This was an internal diagnostic message triggered by an old bug
   in early versions of the defragmentation preprocessor.  Upgrade to 
   to the latest version of snort.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q:  I've got RedHat and ....

A:  Check your version of libpcap.  :) If it's not <= 0.5, then you should
    update.   

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q:  How do I setup snort on a 'stealth' interface?

A:  Bring up the interface without an IP address on it.
    http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/
A:  Use an ethernet tap, or build your own 'receive-only' ethernet cable.
    http://www.robertgraham.com/pubs/sniffing-faq.html#receive-only

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q:  I Want to build a snort box.  Will this <Insert List> handle <this much>
    traffic?

A:  That depends.  ;-)  Lower the number of rules is a standard performance
    increase.  Disable rules that you don't need or care about.  Etc...  There
    have been many discussions on 'tweaking performance' with lots of 'I handle
    XX mb with a ___ machine setup.' being said.  Look at some of the 
    discussions on snort-users

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are CIDR netmasks?

A: Excerpted from url: http://public.pacbell.net/dedicated/cidr.html


CIDR is a new addressing scheme for the Internet which allows for more efficient allocation of IP addresses than
 the old Class A, B, and C address scheme.
CIDR Block Prefix # Equivalent Class C # of Host Addresses
/27 1/8th of a Class C 32 hosts
/26 1/4th of a Class C 64 hosts
/25 1/2 of a Class C 128 hosts
/24 1 Class C 256 hosts
/23 2 Class C 512 hosts
/22 4 Class C 1,024 hosts
/21 8 Class C 2,048 hosts
/20 16 Class C 4,096 hosts
/19 32 Class C 8,192 hosts
/18 64 Class C         16,384 hosts
/17 128 Class C 32,768 hosts
/16 256 Class C 65,536 hosts (= 1 Class B)
/15 512 Class C 131,072 hosts
/14 1,024 Class C 262,144 hosts
/13 2,048 Class C 524,288 hosts

For more detailed technical information on CIDR, go to http://www.rfc-editor.org/rfcsearch.html and type in the
number of the CIDR RFC you are interested in:

RFC 1517: Applicability Statement for the Implementation of CIDR
RFC 1518: An Architecture for IP Address Allocation with CIDR
RFC 1519: CIDR: An Address Assignment and Aggregation Strategy
RFC 1520: Exchanging Routing Information Across Provider Boundaries in the CIDR Environment

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where do I get the latest version of libpcap?

A: http://www.tcpdump.org/

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are these IDE codes in the alert names?

A: IDS means "Intrusion Detection Signature" (true?) and identifies a
   known attack attempt. You can learn more about a specific IDS id
   at the arachNIDS search engine on http://www.whitehats.com/.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Snort says BACKDOOR SIGNATURE... does my machine have a Trojan?

A: If you are dumping the data part of the packet, review it.
   These rules are known to have high false rates as most of them
   are just based on numeric port numbers.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What about "CGI Null Byte attacks"?

A: It's a part of the http preprocessor. Basically, if the http decoding 
   routine finds a %00 in an http request, it will alert with this message. 
   Sometimes you may see false positives with sites that use cookies with
   urlencoded binary data, or if you're scanning port 443 and picking up 
   SSLencrypted  traffic . If you're logging alerted packets you can  check
   the  actual string that caused the alert.  Also, the unicode alert is
   subject to  the same false positives with cookies and SSL. Having the packet
   dumps is the  only way to tell for sure if you have a real attack on your
   hands, but this  is true for any content-based alert.


--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q:  Where can I get more reading and courses about IDS?

A:  Sans has some courses.  There are also a couple of books you might
    want to look into getting.

	Network Intrusion Detection An Analyst's Handbook
	By Stephen Northcutt
	ISBN 0735708681

	TCP/IP Illustrated, Volume 1 The Protocols
	By W. Richard Stevens
	ISBN 0201633469

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
q: How do I log to multiple databases?

A: You can build redundancy by using multiple output plugins. Here are
   some examples.

   Multiple instantiations of the database plugin:

	output log_database: mysql, dbname=snort host=localhost user=xyz
	output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz

   Remote database and local tcpdump:

	output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz 
	output log_tcpdump: /var/log/snort.tcpdump

   Then you can replay the tcpdump file through snort to recreate the 
   database.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are all these "ICMP destination unreachable" alerts?

A: They are failed connections ICMP unreach packet carries first 64
   bytes of the original datagram.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does building snort complain about missing references?

A: You must make libpcap with the --install-incl option

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does building snort fail with errors about yylex and lex_init?

A: You need the lex and yacc tools or their gnu equivalents
   flex and bison installed.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What is the use of the "-r" switch to read tcpdump files? 

A: Used in conjunction with a snort rules file, the tcpdump data can be
   analyzed for hostile content, port scans, or anything else Snort can be used
   to detect.  Snort can also just simply display the packets in their decoded
   format, which many people find is easier to read than native tcpdump
   output. 

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I get Snort to log the packet payload as well as the header? 

A: Use the "-d" command line option.  

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Does Snort log the full packets that it generates alerts on? 

A: Yes, they should be in the directory that has the same IP address as the
   source host of the packet which generated the alert.   

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does the program generate alerts on packets that have pass rules? 

A: The default order that the rules are applied in is alerts first, then pass
   rules, then log rules.  This ordering ensures that you don't write 50 great
   alert rules and then disable them all accidently with an errant pass rule. 
   If you really want to change this order so that the pass rules are applied
   first, use the "-o" command line switch.  

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Does Snort perform TCP stream reassembly? 

A: Yes, this capability is in BETA testing with the 1.7 release. 

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: SMB alerts aren't working, what's wrong? 

a: Make sure you include "--enable-smbalerts" when you run "./configure". 
 

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How can I test snort without having an ethnernet card or a connection to
   other computers? 

A: You have to use routing between two dummy devices: 


	modprobe -a dummy (The dummy device has to be build by the kernel) 

	ifconfig dummy0 192.168.0.1 

	ifconfig dummy0:0 192.168.0.2 

	telnet 192.168.0.3 12345

   It's important that the second IP is on the same interface and not e.g.
   dummy1 or dummy2 and that the IP you try to access is *not* one of those you
   put on the interfaces. Use snort's ability to hear in promiscious mode on an
   IP address range. (HOMEDIR=192.168.0.0/16)  Top --faq-- --snort-- --faq--

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I'm having problems getting snort to log to a database...

A: There were some issues with snort 1.6.3 writes 

   Lee wrote..
   > > Initializing rule chains...
   > > log_database: Database type is mysql
   > > log_database: Database name is snort
   > > log_database: Host set to localhost
   > > log_database: User set to root
   > > Problem obtaining SENSOR ID (sid) from mysql->snort->event

   In version 1.6.3, it turns out that many people have seen this error
   because they did not compile in support for their database. It should 
   be fixed in snort 1.7

   A quick and easy "fix" for older snort versions is to add -lm to
   either LIBS or LDFLAGS in the Makefile. e.g.

   LIBS = -lm -lmysqlclient -lpcap -lsocket -lnsl

   Anyway, if you are still having this problem you can take a look at
   the updated the installation and configuration information at the
   following web site.

   http://www.incident.org/snortdb

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where do I get more help on snort?

A: http://lists.sourceforge.net/mailman/listinfo/snort-users

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How to start snort as a win32 service?

A: Service support has been added to snort-1.6.3-patch2
   You can download the binary from:
   http://www.datanerds.net/~mike/dev/snort-1.6.3-patch2-service.zip
   
   Right now there is only a binary available. 
   
   Snort Service FAQ:
   
   1) Use must use complete paths for everything. This means EVERYTHING.
   Command line, configuration files, everything. Examples:
   All include statements must be full paths. I.E. 'include scan-lib'
   is WRONG. 'include C:\snort\scan-lib' is CORRECT.
   All Command line options must be full paths. I.E. 'snort.exe -l
   ./log' is WRONG. 'snort.exe -l C:\snort\log' is CORRECT.
   
   2) YOU MUST ALWAYS HAVE A LOGGING DIRECTORY SET VIA THE COMMAND
   LINE(-l switch). If you do not set a logging directory the service
   will not start and, on NT/Win2k,  your bootup will hang for about 4
   minutes.
   
   3) How to install the snort service.
   Run snort like you would via command line but add a '-I'. I.E.
   'snort.exe -c snort-lib -l ./log -h 192.168.1.0/24 -s' turns into
   'snort.exe -c C:\snort\snort-lib -l C:\snort\log -h 192.168.1.0/24 -s
   -I'
   YOU MUST USE COMPLETE PATHS FOR ALL FILES/DIRECTORIES.
   NOTE: You do NOT need to add the -D option to the command line when
   you install the service. If -D is not there it will automatically be
   added.
   
   4) How to remove the snort service.
   Run 'snort -R'.
   
   5) Does the Service run on 9x/ME.
   Yes. It uses a horrible hack to get it to work. Because of this when
   you boot up you will see a black command prompt window for about 5
   seconds before snort goes to the background. This service mode is
   considered a horrible hack and probably will not work in every
   situation.
   
   6) What functions are support by the NT service.
   Start and Stop currently. Pause and Resume will be implemented later
   (Code already exists but not working properly).
   
   Any questions, comments, flames please email mike at ...92...
   
   
   
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I process those snort logs into HTML reports?

A1: One popular solution is SnortSnarf, a tool for producing HTML 
    out of snort alerts for navigating through these alerts 
    (and doing a whole lot more). 
    http://www.silicondefense.com/snortsnarf/

A2: If you want to set up loggin to a database you could try ACID
    Some documentation describing the current ACID functionality:

    http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why do certain alerts seem to have 'unknown' IPs in ACID? 

A: The Snort database plug-in only logs packet information into the database
   when an alert is triggered by a rule (signature). Therefore, since alerts
   generated by pre-preprocessors such as portscan and mini-fragment have no
   corresponding rules, no packet information is logged beyond an entry
   indicating their occurance. As a consequence, ACID cannot display any
   packet-level (e.g. IP address) information for these alerts. 

   For these particular alerts, certain statistics may show zero unique IP
   addresses, list the IP address as 'unknown', and will not list any packet
   information when decoding the alert. 

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does the 'error deleting alert' message occur when attempting to delete
   an alert with ACIO? 

A: Most likely the DB user configure in ACID does not have sufficient
   privileges. In addition to those privileges granted to log the alerts into
   the database (INSERT, SELECT), DELETE is also required. 

   This permission related issue can be confirmed by manually inserting a row
   into the database, then trying to delete it. 

   1. login to MySQL with the same credentials (i.e. username, password) as you
      use in ACID. 

   e.g. % mysql  -u  -p

   2. insert a test row into the event table 

   mysql> INSERT INTO event (sid, cid, signature, timestamp) VALUES (1,1000000, "test", "0");

   (this assumes that you don't already have a row with an event ID=1000000. If
    you do just choose another event id #) 

   3. now delete this newly inserted row 

   mysql> DELETE FROM event WHERE sid=1 AND cid=10000000; 

   If you where not able to delete, this confirms that this is a permission
   problem. Re-login to mysql as root, and issue a GRANT command (giving the
   DELETE permission) to the ACID DB user. 

   e.g. GRANT DELETE on snort.* to acid at ...274...

   (this assumes that my alert database is 'snort', username is 'acid', and
   logging from the 'localhost') 

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: ACID appears to be broken in Lynx 

A: This is a known issue. Lynx mangles some of the form arguments appended to
   the URL. It's resolution is being investigated, but use Netscape, Opera, or
   IE in the mean time. 

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Can priorities be assigned to Alerts using ACID? 

A: The quick answer to this question is no. ACID is at the mercy of the
   underlying database, since Snort doesn't assign priorities, ACID does not
   have priorities. Nevertheless, there are several work-arounds: 

  It is possible to enforce priorities of sort at the database level by
  writing alerts of different severity to separate databases. For example,
  critical alerts such as buffer overflows can be written to one database,
  while scan alerts can be written to another. Then load two different versions
  of ACID, each pointing to a different instance of the database. 


  With manual intervention Alert Groups (AG) can be used to assign priority.
  Essentially, this strategy entails creating an AG for each severity level and
  manually moving the alerts as they arrive into the appropriate group. 

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: My ACID db connection times-out when performing long operations (e.g.
   deleting a large number of alerts) 

A:  PHP has an internal variable set to limit the length an script can
   execute. It is used to prevent poorly written code from executing
   indefinitely. In order to modify the time-out value, examine the
   'max_execution_time' variable found in the 'php.ini' configuration file.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does snort report "Packet loss statistics are unavailable under Linux"?

A:  The Linux IP stack doesn't report lost packet stats.  This may be changing
    in version 2.4 of Linux, but for now you just don't get them.  Try one
    of the BSDs, they work just fine.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What the heck is a SYNFIN scan?

A: SYNFIN scans got their name because there are both the
   SYN and FIN flags set. 


--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What about 'SMB Name Wildcard' alerts?

A: Whitehats IDS177
   http://dev.whitehats.com/cgi/test/new.pl/Show?_id=netbios-name-query
   specifies traffic coming from *outside* of your local network.  Allowing
    netbios traffic over public networks is usually very insecure.

   If the rule you are using also refers to ingres traffic only, then it
   would explain why you don't see a lot of false positives.  For anyone
   reading that does see a lot of false postiives -  if you change your rule
   to reflect the source address as being !$HOME (or whatever variable you
   use to represent your internal network), then you should see most of the
   false positives go away.

   The value of this chack is that a default administrative share C$ ADMIN$ or
   some such has been accessed.  This shouldn't happen in normal use - when
   people want to share files they should be implicitely defining the shares
   and ACL.  

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Which takes precedence, commandline or rule file ?

A: The command line always gets precedence over the rules file.  If people
   want to try stuff out quickly without having to manually edit the rules
   file, they should be able to override many things from the command
   line.  

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: My /var/log/snort directory get very large.....

A: Try this script to archive the files.

#!/bin/sh
# 
# Logfile roation script for snort writen by jameso at ...557...
# 
# This script is pretty basic. We start out by setting some vars.
# Its job is tho rotate the days logfiles, e-mail you with what 
# it logged, keep one weeks worth of uncompressed logs, and also
# keep compressed tgz files of all the logs. It is made to be run
# at midnight everynight. This script expects you to have a base
# dir that you keep all of your logs, rule sets etc in. You can 
# see what sub dirs it expects from looking at the var settings
# below.
# 
# Things to note in this script is that we run this script at 12 
# every night, so we want to set the dirdate var the day the script
# runs minus a day so we label the files with the correct day. We
# Then create a dir for the days logs, move the log files into 
# todays dir. As soon as that is done restart snort so we don't miss
# anything. Then delete any logs that are uncompressed and over a
# week old. Then compress out todays logs and archive them away, and
# end up by mailling out the logs to you.
#

# Define where you have the base of your snort install

snortbase=/usr/snort

# Define other vars
# logdir   - Where the logs are kept
# oldlogs  - Where you want the archived .tgz logs kept
# weeklogs - This is where you want to keep a weeks worth of log files uncompressed
# dirdate  - Todays Date in Month - Day - Year format
# olddirdate - Todays date in the same format as dirdate, minus a week

logdir=$snortbase/log
oldlogs=$snortbase/oldlogs
weeklogs=$snortbase/weeklogs

# When I first wrote this script, I only ran it on BSD systems. That was a
# mistake, as BSD systems have a date command that apperently lets you walk the
# date back pretty easily. Well, some systems don't have this feature, so I had
# to change the way that dates are done in here. I left in the old way, because
# it is cleaner, and I added in a new way that should be portable. If anyone
# has any problems, just let me know and I will try to fix it.
#
# You have to change the system var to either bsd or other. Set it to bsd if
# your system supports the "-v" flag. If you are not sure, set it to other.

system=bsd

if [ $system = bsd ]
then
 dirdate=`date -v -1d "+%m-%d-%y"`
 olddirdate=`date -v -8d "+%m-%d-%y"`
elif [ $system = other ]
 month=`date "+%m"`
 yesterday=`expr \`date "+%d"\` - 1`
 eightday=`expr \`date "+%d"\` - 8`
 year=`date "+%y"`

 dirdate=$month-$yesterday-$year
 olddirdate=$month-$eightday-$year
fi

# Create the Dir for todays logs.

if [ ! -d $weeklogs/$dirdate ]
then
 mkdir $weeklogs/$dirdate
fi

# Move the log files into todays log dir. This is done with
# a for loop right now, because I am afriad that if alot is
# logged there may be to many items to move with a "mv *"
# type command. There may a better way to do this, but I don't
# know it yet.

for logitem in `ls $logdir` ; do
 mv $logdir/$logitem $weeklogs/$dirdate
done

# Kill and restart snort now that the log files are moved.

kill `cat /var/run/snort_fxp0.pid`

# Restart snort in the correct way for you

/usr/local/bin/snort -i fxp0 -d -D -h homeiprange/28 -l /usr/snort/log \
-c /usr/snort/etc/08292k.rules > /dev/null 2>&1

# Delete any uncompressed log files that over a week old.

if [ -d $weeklogs/$olddirdate ]
then
 rm -r $weeklogs/$olddirdate
fi

# Compress and save the log files to save for as long as you want.
# This is done in a sub-shell because we change dirs, and I don't want 
# to do that within the shell that the script runs in.

(cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1)

# Mail out the log files for today.

cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you at ...558...
cat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs" you at ...558...


--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Is it possible with snort to add a ipfilter/ipfw rule to a firewall?

A: Yes, with additional software in the conrib directory. But this
   can be dangerous and is not recommended unless you know what you're
   doing.

   Guardian is available and is part of the contrib directory in
   the tarball distribution.

   Guardian is a perl script which uses snort to detect attacks,
   and then uses IPchains to deny any further attacks.

   The Guardian webpage can be found at:
   http://www.chaotic.org/~astevens/Guardian/index.html
   or you can use the mirror,
   http://www.cyberwizards.com/~midnite/Guardian/index.html

   But one caveat... running external binaries can also be a performance
   limiter and your should read the caution below...

   Christopher Cramer wrote:
   >
   > I'm sure this has been mentioned before in similar discussions, but this
   > feels like a _really_ bad idea.  What if the bad guys realize what is
   > going on and make use of your blocking method as a DoS attack.  All one
   > would have to do start sending a series of triggering packets with spoofed
   > IP addresses.
   >
   > Since I am no longer interested in breaking into your site, but rather
   > making your life hell, I don't worry about the resulting data getting back
   > to me.  All I have to do is start proceeding up a list of IP addresses
   > that I think you should no longer be able to talk to.  When you come in
   > the next morning, you find that you can no longer access the world.
   >
   > Just my $0.02.
   >                         


--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How can I run snort on multiple interfaces simultaneously.

A: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF available)
    the only way is to run multiple instances of snort, one instance per
    interface. However for  linux 2.1.x/2.2.x and higher you can use libpcap
    library with S. Krahmer's patch which allows you to specify 'any' as interface
    name. In this case snort will be able to process traffic comming to all
    interfaces.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings, what's wrong.

A:  You use older libpcap version with recent linux kernel. There should be
    no problem with it as long as your kernel supports SOCK_PACKET socket type. To
    get rid off the warning message however, you'll have to upgrade to some recent
    version of libpcap. (a copy from www.tcpdump.org is recommended).


--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: IP address is assigned dynamically to my interface, can I use snort with it?

A:  Yes.With snort 1.7 and later, <interface>_ADDRESS variable is available.
    The value of this variable will be always set to IP address/Netmask of the
    interface which you run snort at. if interface goes down and up again (and
    an IP address is reassigned) you will have to restart snort. For earlier
    versions of snort numerous scripts to achieve the same result are
    available.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: on HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid argument

A:  It's because there's another program running using the DLPI service.
    The HP-UX implementation doesn't allow more than one libpcap program
    at a time to run, unlike Linux. (from snort.c)

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I am getting snort dying with 'can not create file' error and I have plenty of diskspace, what's wrong?

A:  You may run out of free inodes, which basically also means you can not
    create more files on the partition. The obvious solution is to rm some ;-)





-- 
Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net




More information about the Snort-users mailing list