[Snort-users] snort 2.9.4.6 not logging

Maged Shenouda maged67 at ...125...
Fri Jul 19 13:37:39 EDT 2013


 
> Date: Fri, 19 Jul 2013 13:16:21 -0400
> From: wkitty42 at ...14940...
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> 
> On 7/19/2013 09:30, Maged Shenouda wrote:
> > another updat, I think the black_list.rules file format is wrong. I changed the
> > file name back as it was and cleared the black_list.rules and restarted snort, I
> > didn't see that error in the system log.
> 
> what do you mean you "cleared" it? which black list file? black_list.rules or 
> blacklist.rules?
>  The black_list.rules was having the same contant as blacklist.rulesI cleared the black_list.rules file, there is nothing in it now, it is blank 
> > But back again to the original issue, it is still not logging, when I restarted
> > the snort, it created the file in /var/log/nort but it is 0 byte not recording
> > anything?
> 
> does it see any traffic if you start it directly? stop the daemon instance and 
> then run it straight
> 
>    snort
> this one works fine
> if it starts spitting data all over the screen, then it is seeing traffic...
> 
> then try it like this...
> 
>    snort -c /etc/snort/snort.conf
>  this one, here is the last couple of lines after it start then that's it            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
Commencing packet processing (pid=12530)

> if it starts spitting data all over the screen, then it is seeing traffic with 
> your config...
> 
> if either of the above fail, try adding "-k none" to the command line...
> 
>     snort -k none
this one works fine > 
> OR
> 
>    snort -c /etc/snort/snort.conf -k none
>  this one, not working same result   Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
Commencing packet processing (pid=12530)
  From what I see, that snort is not working when it start loading the snort.conf , any reason for that?   
> and see what happens... then we can go from there...
> 
> >  > Date: Thu, 18 Jul 2013 20:47:02 -0400
> >  > From: wkitty42 at ...14940...
> >  > To: snort-users at lists.sourceforge.net
> >  > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> >  >
> >  > On 7/18/2013 14:28, Maged Shenouda wrote:
> >  > > Here is the snort.conf file configuration
> >  > >
> >  > > ipvar HOME_NET 192.168.0.0/24
> >  > > ipvar EXTERNAL_NET any
> >  > > ipvar SMTP_SERVERS $HOME_NET
> >  > >
> >  > > and so on,,,, don't think the format is worng?
> >  >
> >  > you are correct... but wait! what are the names of your blacklist and whitelist
> >  > files as defined for the reputation processor? there is known confusion between
> >  > (EG:) GID:1 blacklist.rules and reputation processor black_list.rules files and
> >  > that is exacerbated when both sets reside in the same directory...
> >  >
> >  > the ones for the reputation processor are in simple IP and/or IP/CIDR format
> >  > whereas the others are in the standard text rules format... looking closer at
> >  > the error message, it specifically states "invalid IP address" which leads me to
> >  > believe that the file name(s) for your reputation processor are incorrect...
> >  >
> >  > so, check your snort.conf at the reputation processor and see what those file
> >  > names are that are specified there... then make sure that those names are /not/
> >  > included in the list of rules files at the bottom of snort.conf...
> >  >
> >  > [HINT: more specifically, one set of file names has an underscore '_' in it and
> >  > the other does not... watch for this and do not get confused by it...
> >  >
> >  > RECOMMENDATION: name the files specific to the reputation processor to something
> >  > significantly different than the normal textual blacklist rules file... maybe
> >  > RPP_black.rules and RPP_white.rules where RPP stands for Reputation
> >  > Preprocessor... anything that is different from the others and will alleviate
> >  > the confusion]
> >  >
> >  >
> >  > > > Date: Thu, 18 Jul 2013 13:55:36 -0400
> >  > > > From: wkitty42 at ...14940...
> >  > > > To: snort-users at lists.sourceforge.net
> >  > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> >  > > >
> >  > > > On 7/18/2013 13:38, Maged Shenouda wrote:
> >  > > > > Snort logging still not working evev after rmoving the -A -b parameters
> >  > > > >
> >  > > > > Any other clue?
> >  > > >
> >  > > > looking at the reply below... what is your HOME_NET set to?? have you
> > fixed it
> >  > > > to accurately cover your actual protected network(s)??
> >  > > >
> >  > > > >
> >  > >
> > --------------------------------------------------------------------------------
> >  > > > > From: jesler at ...1935...
> >  > > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> >  > > > > Date: Thu, 18 Jul 2013 11:55:25 -0400
> >  > > > > To: maged67 at ...125...
> >  > > > >
> >  > > > > No, it looks like you have something messed up in your HOME_NET
> >  > > > >
> >  > > > >
> >  > > > > On Jul 18, 2013, at 11:48 AM, Maged Shenouda <maged67 at ...125...
> >  > > > > <mailto:maged67 at ...125...>> wrote:
> >  > > > >
> >  > > > > Also when snort started, it checked the black list rules and here is
> > part of
> >  > > > > system log
> >  > > > >
> >  > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing whitelist file
> >  > > /etc/snort/rules/white_list.rules
> >  > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Reputation entries loaded: 0,
> >  > > invalid: 0, re-defined: 0 (from file /etc/snort/rules/white_list.rules)
> >  > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing blacklist file
> >  > > /etc/snort/rules/black_list.rules
> >  > > > > Jul 18 11:17:29 mm-proxy snort[10868]: (22) => Invalid IP Address: alert
> >  > > udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
> >  > > domaindatajunction.org <http://datajunction.org/> - Gauss "; flow:to_server;
> >  > > byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|";
> > fast_pattern:only;
> >  > > metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
> >  > > service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
> >  > >
> > reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
> >  > >
> > <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
> >  > > classtype:trojan-activity; sid:23802; rev:2;)
> >  > > > > Jul 18 11:17:29 mm-proxy snort[10868]: (23) => Invalid IP Address: alert
> >  > > udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
> >  > > domainguest-access.net <http://guest-access.net/> - Gauss "; flow:to_server;
> >  > > byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|";
> > fast_pattern:only;
> >  > > metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
> >  > > service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
> >  > >
> > reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
> >  > >
> > <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
> >  > > classtype:trojan-activity; sid:23799; rev:2;)
> >  > > > >
> >  > > > > is there something wrong with the black list rules ??
> >  > > > >
> >  > > > >
> >  > >
> > --------------------------------------------------------------------------------
> >  > > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> >  > > > > From: jesler at ...1935... <mailto:jesler at ...1935...>
> >  > > > > Date: Wed, 17 Jul 2013 12:02:40 -0400
> >  > > > > CC: lists.sourceforge.net <http://lists.sourceforge.net>
> >  > > > > snort-users at lists.sourceforge.net
> > <mailto:snort-users at lists.sourceforge.net>
> >  > > > > To: maged67 at ...125... <mailto:maged67 at ...125...>
> >  > > > >
> >  > > > > Remove your “-A full -b” from your command line. Those are overriding your
> >  > > > > unified2 output line in your snort.conf.
> >  > > > >
> >  > > > >
> >  > > > > On Jul 17, 2013, at 11:19 AM, Maged Shenouda <maged67 at ...125...
> >  > > > > <mailto:maged67 at ...125...>> wrote:
> >  > > > >
> >  > > > > I properly configured the snort.conf and installed all the source files
> >  > > > > for snort, barnyard2, daq...
> >  > > > > The problem is when I run the snort from the console, I can see that it
> >  > > > > is working fine but when I run the snort to read the snort.conf it
> >  > > > > doesn't save the log file at all
> >  > > > >
> >  > > > > /usr/local/bin/snort -A full -b -d -D -i eth0 -u snort -g snort -c
> >  > > > > /etc/snort/snort.conf -l /var/log/snort
> >  > > > >
> >  > > > > and off course since there is no log files, barnyard2 read an empty file
> >  > > > > and does not transfer it so mysql
> >  > > > >
> >  > > > > I am using SUSE Linux Enterprise 11 SP1 64bit. Realy need your help with
> >  > > > > this one
> >  > > > >
> >  > > > > Thanks
> 
> 
> 
> -- 
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130719/9fba8ac9/attachment.html>


More information about the Snort-users mailing list