[Snort-users] snort 2.9.4.6 not logging

Maged Shenouda maged67 at ...125...
Thu Jul 18 14:28:09 EDT 2013


Here is the snort.conf file configuration

ipvar HOME_NET 192.168.0.0/24
ipvar EXTERNAL_NET any
ipvar SMTP_SERVERS $HOME_NET
 
and so on,,,, don't think the format is worng?
 

 
> Date: Thu, 18 Jul 2013 13:55:36 -0400
> From: wkitty42 at ...14940...
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> 
> On 7/18/2013 13:38, Maged Shenouda wrote:
> > Snort logging still not working evev after rmoving the -A -b parameters
> >
> > Any other clue?
> 
> looking at the reply below... what is your HOME_NET set to?? have you fixed it 
> to accurately cover your actual protected network(s)??
> 
> > --------------------------------------------------------------------------------
> > From: jesler at ...1935...
> > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> > Date: Thu, 18 Jul 2013 11:55:25 -0400
> > To: maged67 at ...125...
> >
> > No, it looks like you have something messed up in your HOME_NET
> >
> >
> > On Jul 18, 2013, at 11:48 AM, Maged Shenouda <maged67 at ...125...
> > <mailto:maged67 at ...125...>> wrote:
> >
> >     Also when snort started, it checked the black list rules and here is part of
> >     system log
> >
> >     Jul 18 11:17:29 mm-proxy snort[10868]:     Processing whitelist file /etc/snort/rules/white_list.rules
> >     Jul 18 11:17:29 mm-proxy snort[10868]:     Reputation entries loaded: 0, invalid: 0, re-defined: 0  (from file /etc/snort/rules/white_list.rules)
> >     Jul 18 11:17:29 mm-proxy snort[10868]:     Processing blacklist file /etc/snort/rules/black_list.rules
> >     Jul 18 11:17:29 mm-proxy snort[10868]:       (22) =>  Invalid IP Address: alert udp $HOME_NET any ->  any 53 (msg:"BLACKLIST DNS request for known malware domaindatajunction.org  <http://datajunction.org/>  - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/  <http://gauss.crysys.hu/>; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan  <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>; classtype:trojan-activity; sid:23802; rev:2;)
> >     Jul 18 11:17:29 mm-proxy snort[10868]:       (23) =>  Invalid IP Address: alert udp $HOME_NET any ->  any 53 (msg:"BLACKLIST DNS request for known malware domainguest-access.net  <http://guest-access.net/>  - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/  <http://gauss.crysys.hu/>; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan  <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>; classtype:trojan-activity; sid:23799; rev:2;)
> >
> >     is there something wrong with the black list rules ??
> >
> >     --------------------------------------------------------------------------------
> >     Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> >     From: jesler at ...1935... <mailto:jesler at ...1935...>
> >     Date: Wed, 17 Jul 2013 12:02:40 -0400
> >     CC: lists.sourceforge.net <http://lists.sourceforge.net>
> >     snort-users at lists.sourceforge.net <mailto:snort-users at ...4137...orge.net>
> >     To: maged67 at ...125... <mailto:maged67 at ...125...>
> >
> >     Remove your “-A full -b” from your command line. Those are overriding your
> >     unified2 output line in your snort.conf.
> >
> >
> >     On Jul 17, 2013, at 11:19 AM, Maged Shenouda <maged67 at ...125...
> >     <mailto:maged67 at ...125...>> wrote:
> >
> >         I properly configured the snort.conf and installed all the source files
> >         for snort, barnyard2, daq...
> >         The problem is when I run the snort from the console, I can see that it
> >         is working fine but when I run the snort to read the snort.conf it
> >         doesn't save the log file at all
> >
> >         /usr/local/bin/snort -A full -b -d -D -i eth0 -u snort -g snort -c
> >         /etc/snort/snort.conf -l /var/log/snort
> >
> >         and off course since there is no log files, barnyard2 read an empty file
> >         and does not transfer it so mysql
> >
> >         I am using SUSE Linux Enterprise 11 SP1 64bit. Realy need your help with
> >         this one
> >
> >         Thanks
> 
> 
> 
> -- 
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130718/0ac927b6/attachment.html>


More information about the Snort-users mailing list