[Snort-users] snort 2.9.4.6 not logging

waldo kitty wkitty42 at ...14940...
Thu Jul 18 20:47:02 EDT 2013


On 7/18/2013 14:28, Maged Shenouda wrote:
> Here is the snort.conf file configuration
>
> ipvar HOME_NET 192.168.0.0/24
> ipvar EXTERNAL_NET any
> ipvar SMTP_SERVERS $HOME_NET
>
> and so on,,,, don't think the format is worng?

you are correct... but wait! what are the names of your blacklist and whitelist 
files as defined for the reputation processor? there is known confusion between 
(EG:) GID:1 blacklist.rules and reputation processor black_list.rules files and 
that is exacerbated when both sets reside in the same directory...

the ones for the reputation processor are in simple IP and/or IP/CIDR format 
whereas the others are in the standard text rules format... looking closer at 
the error message, it specifically states "invalid IP address" which leads me to 
believe that the file name(s) for your reputation processor are incorrect...

so, check your snort.conf at the reputation processor and see what those file 
names are that are specified there... then make sure that those names are /not/ 
included in the list of rules files at the bottom of snort.conf...

[HINT: more specifically, one set of file names has an underscore '_' in it and 
the other does not... watch for this and do not get confused by it...

RECOMMENDATION: name the files specific to the reputation processor to something 
significantly different than the normal textual blacklist rules file... maybe 
RPP_black.rules and RPP_white.rules where RPP stands for Reputation 
Preprocessor... anything that is different from the others and will alleviate 
the confusion]


>  > Date: Thu, 18 Jul 2013 13:55:36 -0400
>  > From: wkitty42 at ...14940...
>  > To: snort-users at lists.sourceforge.net
>  > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
>  >
>  > On 7/18/2013 13:38, Maged Shenouda wrote:
>  > > Snort logging still not working evev after rmoving the -A -b parameters
>  > >
>  > > Any other clue?
>  >
>  > looking at the reply below... what is your HOME_NET set to?? have you fixed it
>  > to accurately cover your actual protected network(s)??
>  >
>  > >
> --------------------------------------------------------------------------------
>  > > From: jesler at ...1935...
>  > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
>  > > Date: Thu, 18 Jul 2013 11:55:25 -0400
>  > > To: maged67 at ...125...
>  > >
>  > > No, it looks like you have something messed up in your HOME_NET
>  > >
>  > >
>  > > On Jul 18, 2013, at 11:48 AM, Maged Shenouda <maged67 at ...125...
>  > > <mailto:maged67 at ...125...>> wrote:
>  > >
>  > > Also when snort started, it checked the black list rules and here is part of
>  > > system log
>  > >
>  > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing whitelist file
> /etc/snort/rules/white_list.rules
>  > > Jul 18 11:17:29 mm-proxy snort[10868]: Reputation entries loaded: 0,
> invalid: 0, re-defined: 0 (from file /etc/snort/rules/white_list.rules)
>  > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing blacklist file
> /etc/snort/rules/black_list.rules
>  > > Jul 18 11:17:29 mm-proxy snort[10868]: (22) => Invalid IP Address: alert
> udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
> domaindatajunction.org <http://datajunction.org/> - Gauss "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; fast_pattern:only;
> metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
> service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
> reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
> <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
> classtype:trojan-activity; sid:23802; rev:2;)
>  > > Jul 18 11:17:29 mm-proxy snort[10868]: (23) => Invalid IP Address: alert
> udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
> domainguest-access.net <http://guest-access.net/> - Gauss "; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; fast_pattern:only;
> metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
> service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
> reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
> <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
> classtype:trojan-activity; sid:23799; rev:2;)
>  > >
>  > > is there something wrong with the black list rules ??
>  > >
>  > >
> --------------------------------------------------------------------------------
>  > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
>  > > From: jesler at ...1935... <mailto:jesler at ...1935...>
>  > > Date: Wed, 17 Jul 2013 12:02:40 -0400
>  > > CC: lists.sourceforge.net <http://lists.sourceforge.net>
>  > > snort-users at lists.sourceforge.net <mailto:snort-users at lists.sourceforge.net>
>  > > To: maged67 at ...125... <mailto:maged67 at ...125...>
>  > >
>  > > Remove your “-A full -b” from your command line. Those are overriding your
>  > > unified2 output line in your snort.conf.
>  > >
>  > >
>  > > On Jul 17, 2013, at 11:19 AM, Maged Shenouda <maged67 at ...125...
>  > > <mailto:maged67 at ...125...>> wrote:
>  > >
>  > > I properly configured the snort.conf and installed all the source files
>  > > for snort, barnyard2, daq...
>  > > The problem is when I run the snort from the console, I can see that it
>  > > is working fine but when I run the snort to read the snort.conf it
>  > > doesn't save the log file at all
>  > >
>  > > /usr/local/bin/snort -A full -b -d -D -i eth0 -u snort -g snort -c
>  > > /etc/snort/snort.conf -l /var/log/snort
>  > >
>  > > and off course since there is no log files, barnyard2 read an empty file
>  > > and does not transfer it so mysql
>  > >
>  > > I am using SUSE Linux Enterprise 11 SP1 64bit. Realy need your help with
>  > > this one
>  > >
>  > > Thanks



-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list