[Snort-users] confuse with alerts file

maku bex maku_bexs at ...131...
Tue Sep 28 20:03:18 EDT 2004


thx for replying...
the scenario is i have a one box installed with
snort..
and i'm trying to deploy the snort into another box as
well, the configuration is same
[snort.conf]
[Unix flavours should use this format...]
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql,

for both snort i run with this command
snort -qbID -i eth0 -c /etc/snort/snort.conf -u snort
-g snort m 007

for box one....its generates the alert file....
tail -f /var/log/snort/alert

Sep 29 09:53:00 src at ...12493... snort: [1:2000328:3]
BLEEDING-EDGE Multiple Non-SMTP Server Emails
[Classification: Misc activity] [Priority: 3]: <eth0>
{TCP} x.x.x.x:1138 -> x.x.x.x:25
Sep 29 09:53:04 src at ...12493... snort: [1:2000328:3]
BLEEDING-EDGE Multiple Non-SMTP Server Emails
[Classification: Misc activity] [Priority: 3]: <eth0>
{TCP} x.x.x.x:1144 -> x.x.x.74:25

But for the second one....like i said...no alert file
in /var/log/snort/, which is i dont quite understand
here...i guest the snort is not running......so i tail
the messages log 

ping www.google.com
tail -f /var/log/messages
it gives me the output:
Sep 29 10:48:21 vmware snort: Warning: flowbits key
'tls1.server_hello.request' is checked but not ever
set.
Sep 29 10:48:21 vmware snort: Warning: flowbits key
'tls.client_hello.request' is checked but not ever
set.
Sep 29 10:48:22 vmware snort: Snort initialization
completed successfully
Sep 29 10:38:28 vmware snort: [1:408:5] ICMP Echo
Reply [Classification: Misc activity] [Priority: 3]:
<eth0> {ICMP} 216.239.39.99 -> 192.168.0.35

any ideas..?



--- Bamm Visscher <bamm.visscher at ...11827...> wrote:

> Yes, he is LOGing to binary (I see the -b option),
> but he is ALERTing
> to something else. If you do NOT define an alert
> output in your
> snort.conf or on the cmd line, but use -b on the
> command line, you
> will ALERT to /var/log/snort/alert and LOG to
> snort.log.########. LOG
> and ALERT are two seperate facilities. One switch
> CANNOT affect them
> both.  In my previous response, my guess was that he
> is using "output
> database: alert, blah" in his snort.conf on the
> second machine and
> "output database: log" on the original.  I just
> reread his post
> though, and I think he is saying he sees alert data
> in
> /var/log/messages (it's a hard post to follow), so
> he must of turned
> on the ALERT_SYSLOG function in his snort.conf on
> the second machine
> or is using switches not included in his original
> post.
> 
> Maku,
> 
> Can you send the exact cmd line switches and output
> of `grep '^output'
> snort.conf` to the list?
> 
> Bammkkkk
>  
> 
> 
> On Tue, 28 Sep 2004 15:15:45 -0400, Esler, Joel -
> Contractor
> <joel.esler at ...9426...> wrote:
> > In the default setup, if you log to binary it
> /will not/ generate the
> > ascii mode, however, maku says that the log files
> being produced are
> > snort.log.###..  This is indicative of binary
> logging mode.
> > 
> > J
> > 
> > 
> > 
> > -----Original Message-----
> > From: Bamm Visscher
> [mailto:bamm.visscher at ...11827...]
> > Sent: Tuesday, September 28, 2004 3:07 PM
> > To: Esler, Joel - Contractor
> > Cc: maku bex; snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] confuse with alerts
> file
> > 
> > Comments inline.
> > 
> > On Tue, 28 Sep 2004 12:06:54 -0400, Esler, Joel -
> Contractor
> > <joel.esler at ...9426...> wrote:
> > > Because you are using the -b option (binary
> logging) it is logging
> > > into pcap format.  Remove the -b to generate an
> alert file.  However,
> > > -b is much more useful if you are familiar with
> Tcpdump or ethereal.
> > >
> > > Joel
> > >
> > 
> > No, that is not correct. The -b (binary logging)
> option has nothing to
> > do with an alert file being generated.  I am not
> sure why the output
> > facilities are so misunderstood, but here again is
> an explanation.
> > 
> > Snort has two output facilities: alert and log.
> The default plugin for
> > the alert facility is ALERT_FULL and the default
> log facility is
> > LOG_ASCII. ALERT_FULL is your std alert output to
> the /var/log/alert
> > file, while LOG_ASCII writes packet data in ascii
> format to directories
> > and files based on ip address/protos/ports/etc. 
> The -b option changes
> > the default behavior of the log facility only (to
> LOG_PCAP).
> > 
> > >
> > >
> > > -----Original Message-----
> > > From: snort-users-admin at lists.sourceforge.net
> > > [mailto:snort-users-admin at lists.sourceforge.net]
> On Behalf Of maku bex
> > > Sent: Monday, September 27, 2004 8:06 AM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: [Snort-users] confuse with alerts file
> > >
> > > i'm just started with snort.....the sensor was
> running
> > > fine lately.....
> > > but sometimes.....when i'm trying to play around
> with
> > > it into another
> > > new box.....the snort itself
> > > is not generate any output into alerts file
> which is
> > > located in /var/log/snort
> > > FYI, i usually use this configuration...
> > > [snort.conf]
> > > output database: log, mysql,
> > >
> > > and i run with this command...
> > > snort -qbID -i eth0 -c /etc/snort/snort.conf -u
> snort
> > > -g snort m 007
> > >
> > > then i cd to /var/log/snort/
> > > what i'm confused is theres no alerts file here
> but
> > > except of snort.log.smething
> > > so i tail messages log in /var/log/ , yes the
> snort
> > > can see packets
> > > going through....
> > > but why it not generates the alerts file like in
> the
> > > 1st box...?
> > > can anyone help me out....
> > 
> > Sounds like you may have your database output
> plugin set to use the
> > alert facility (output database: alert VERSUS
> output database: log). I'd
> > double check that.
> > 
> > Bammkkkk
> > 
> > --
> > sguil - The Analyst Console for NSM
> > http://sguil.sf.net
> > 
> 
> 
> 
> -- 
> sguil - The Analyst Console for NSM
> http://sguil.sf.net
> 



		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com




More information about the Snort-users mailing list