[Snort-users] snort 2.9.4.6 not logging

waldo kitty wkitty42 at ...14940...
Fri Jul 19 14:22:37 EDT 2013


On 7/19/2013 13:37, Maged Shenouda wrote:
>
>
>  > Date: Fri, 19 Jul 2013 13:16:21 -0400
>  > From: wkitty42 at ...14940...
>  > To: snort-users at lists.sourceforge.net
>  > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
>  >
>  > On 7/19/2013 09:30, Maged Shenouda wrote:
>  > > another updat, I think the black_list.rules file format is wrong. I changed the
>  > > file name back as it was and cleared the black_list.rules and restarted
> snort, I
>  > > didn't see that error in the system log.
>  >
>  > what do you mean you "cleared" it? which black list file? black_list.rules or
>  > blacklist.rules?
>  >
> The black_list.rules was having the same contant as blacklist.rules
> I cleared the black_list.rules file, there is nothing in it now, it is blank

ahh! ok... what is the content of the white_list.rules file? is it just the VRT 
header? if so, i'd copy it to the black_list.rules file so that both contain the 
same header and explanation of what they are...

these two are also the ones that i would rename to RPP_* to keep them separated 
from the blacklist.rules file...

>  > > But back again to the original issue, it is still not logging, when I restarted
>  > > the snort, it created the file in /var/log/nort but it is 0 byte not recording
>  > > anything?
>  >
>  > does it see any traffic if you start it directly? stop the daemon instance and
>  > then run it straight
>  >
>  > snort
>  >
> this one works fine

so it spits out data about every packet it sees... ok...

>  > if it starts spitting data all over the screen, then it is seeing traffic...
>  >
>  > then try it like this...
>  >
>  > snort -c /etc/snort/snort.conf
>  >
> this one, here is the last couple of lines after it start then that's it
> Preprocessor Object: SF_GTP Version 1.1 <Build 1>
> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
> Preprocessor Object: SF_POP Version 1.0 <Build 1>
> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
> Preprocessor Object: SF_SIP Version 1.1 <Build 1>
> Commencing packet processing (pid=12530)

that is fine... it should be logging if there is any traffic for it to alert on...

>  > if it starts spitting data all over the screen, then it is seeing traffic with
>  > your config...
>  >
>  > if either of the above fail, try adding "-k none" to the command line...
>  >
>  > snort -k none
> this one works fine

ok... same as above...

>  > OR
>  >
>  > snort -c /etc/snort/snort.conf -k none
>  >
> this one, not working same result
> Preprocessor Object: SF_GTP Version 1.1 <Build 1>
> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
> Preprocessor Object: SF_POP Version 1.0 <Build 1>
> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
> Preprocessor Object: SF_SIP Version 1.1 <Build 1>
> Commencing packet processing (pid=12530)
>  From what I see, that snort is not working when it start loading the snort.conf
> , any reason for that?

actually, my fault in the explanation because i was thinking (without actually 
testing at that point) that it would spit out data on the screen of the traffic 
it saw and alerted on... i wasn't thinking about the output processors defined 
in snort.conf taking over the output... sorry about that...

so... both of the above operations appear to be alright... but, you are still 
not getting any alerts logged, right?

if so then try this which i just posted for someone else a few days ago...

[quote]
you mean like alerting on any traffic? sure... we use the following rules in a 
file named local-test.rules... just like local.rules, put it in place with the 
proper permissions, add it to your snort.conf and restart snort... only let it 
run a minute because it can generate thousands of alerts per second depending on 
your traffic and your machine's capabilities... then edit your snort.conf to 
comment it out or remove it and restart your snort...

----- snip -----
#
# The rules in this file are only to test a snort installation to see if it is 
seeing any traffic at all.
# These rules should NOT be used all the time. Once tested and working, this 
rule file should be commented
# out in your snort.conf so that it is not used.
#
#------------------
# LOCAL TEST RULES
#------------------

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; 
classtype:tcp-connection; sid:1; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; 
classtype:tcp-connection; sid:2; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; 
classtype:unknown; sid:3; rev:1;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; 
classtype:unknown; sid:4; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; 
classtype:misc-activity; sid:5; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; 
classtype:misc-activity; sid:6; rev:1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; 
classtype:icmp-event; sid:7; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; 
classtype:icmp-event; sid:8; rev:1;)

----- snip -----
[/quote]

after doing the above, you should have all kinds of alerts because the above 
rules simply log all TCP, UDP, IP, and ICMP inbound and outbound traffic so 
pretty much any traffic should fire at least one of the above 8 rules...

>  > and see what happens... then we can go from there...
>  >
>  > > > Date: Thu, 18 Jul 2013 20:47:02 -0400
>  > > > From: wkitty42 at ...14940...
>  > > > To: snort-users at lists.sourceforge.net
>  > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
>  > > >
>  > > > On 7/18/2013 14:28, Maged Shenouda wrote:
>  > > > > Here is the snort.conf file configuration
>  > > > >
>  > > > > ipvar HOME_NET 192.168.0.0/24
>  > > > > ipvar EXTERNAL_NET any
>  > > > > ipvar SMTP_SERVERS $HOME_NET
>  > > > >
>  > > > > and so on,,,, don't think the format is worng?
>  > > >
>  > > > you are correct... but wait! what are the names of your blacklist and
> whitelist
>  > > > files as defined for the reputation processor? there is known confusion
> between
>  > > > (EG:) GID:1 blacklist.rules and reputation processor black_list.rules
> files and
>  > > > that is exacerbated when both sets reside in the same directory...
>  > > >
>  > > > the ones for the reputation processor are in simple IP and/or IP/CIDR format
>  > > > whereas the others are in the standard text rules format... looking closer at
>  > > > the error message, it specifically states "invalid IP address" which
> leads me to
>  > > > believe that the file name(s) for your reputation processor are incorrect...
>  > > >
>  > > > so, check your snort.conf at the reputation processor and see what those file
>  > > > names are that are specified there... then make sure that those names are
> /not/
>  > > > included in the list of rules files at the bottom of snort.conf...
>  > > >
>  > > > [HINT: more specifically, one set of file names has an underscore '_' in
> it and
>  > > > the other does not... watch for this and do not get confused by it...
>  > > >
>  > > > RECOMMENDATION: name the files specific to the reputation processor to
> something
>  > > > significantly different than the normal textual blacklist rules file... maybe
>  > > > RPP_black.rules and RPP_white.rules where RPP stands for Reputation
>  > > > Preprocessor... anything that is different from the others and will alleviate
>  > > > the confusion]
>  > > >
>  > > >
>  > > > > > Date: Thu, 18 Jul 2013 13:55:36 -0400
>  > > > > > From: wkitty42 at ...14940...
>  > > > > > To: snort-users at lists.sourceforge.net
>  > > > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
>  > > > > >
>  > > > > > On 7/18/2013 13:38, Maged Shenouda wrote:
>  > > > > > > Snort logging still not working evev after rmoving the -A -b parameters
>  > > > > > >
>  > > > > > > Any other clue?
>  > > > > >
>  > > > > > looking at the reply below... what is your HOME_NET set to?? have you
>  > > fixed it
>  > > > > > to accurately cover your actual protected network(s)??
>  > > > > >
>  > > > > > >
>  > > > >
>  > >
> --------------------------------------------------------------------------------
>  > > > > > > From: jesler at ...1935...
>  > > > > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
>  > > > > > > Date: Thu, 18 Jul 2013 11:55:25 -0400
>  > > > > > > To: maged67 at ...125...
>  > > > > > >
>  > > > > > > No, it looks like you have something messed up in your HOME_NET
>  > > > > > >
>  > > > > > >
>  > > > > > > On Jul 18, 2013, at 11:48 AM, Maged Shenouda <maged67 at ...125...
>  > > > > > > <mailto:maged67 at ...125...>> wrote:
>  > > > > > >
>  > > > > > > Also when snort started, it checked the black list rules and here is
>  > > part of
>  > > > > > > system log
>  > > > > > >
>  > > > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing whitelist file
>  > > > > /etc/snort/rules/white_list.rules
>  > > > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Reputation entries loaded: 0,
>  > > > > invalid: 0, re-defined: 0 (from file /etc/snort/rules/white_list.rules)
>  > > > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing blacklist file
>  > > > > /etc/snort/rules/black_list.rules
>  > > > > > > Jul 18 11:17:29 mm-proxy snort[10868]: (22) => Invalid IP Address:
> alert
>  > > > > udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
>  > > > > domaindatajunction.org <http://datajunction.org/> - Gauss ";
> flow:to_server;
>  > > > > byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|";
>  > > fast_pattern:only;
>  > > > > metadata:impact_flag red, policy balanced-ips drop, policy security-ips
> drop,
>  > > > > service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
>  > > > >
>  > >
> reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
>  > > > >
>  > >
> <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
>  > > > > classtype:trojan-activity; sid:23802; rev:2;)
>  > > > > > > Jul 18 11:17:29 mm-proxy snort[10868]: (23) => Invalid IP Address:
> alert
>  > > > > udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
>  > > > > domainguest-access.net <http://guest-access.net/> - Gauss ";
> flow:to_server;
>  > > > > byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|";
>  > > fast_pattern:only;
>  > > > > metadata:impact_flag red, policy balanced-ips drop, policy security-ips
> drop,
>  > > > > service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
>  > > > >
>  > >
> reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
>  > > > >
>  > >
> <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
>  > > > > classtype:trojan-activity; sid:23799; rev:2;)
>  > > > > > >
>  > > > > > > is there something wrong with the black list rules ??
>  > > > > > >
>  > > > > > >
>  > > > >
>  > >
> --------------------------------------------------------------------------------
>  > > > > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
>  > > > > > > From: jesler at ...1935... <mailto:jesler at ...1935...>
>  > > > > > > Date: Wed, 17 Jul 2013 12:02:40 -0400
>  > > > > > > CC: lists.sourceforge.net <http://lists.sourceforge.net>
>  > > > > > > snort-users at lists.sourceforge.net
>  > > <mailto:snort-users at lists.sourceforge.net>
>  > > > > > > To: maged67 at ...125... <mailto:maged67 at ...125...>
>  > > > > > >
>  > > > > > > Remove your “-A full -b” from your command line. Those are
> overriding your
>  > > > > > > unified2 output line in your snort.conf.
>  > > > > > >
>  > > > > > >
>  > > > > > > On Jul 17, 2013, at 11:19 AM, Maged Shenouda <maged67 at ...125...
>  > > > > > > <mailto:maged67 at ...125...>> wrote:
>  > > > > > >
>  > > > > > > I properly configured the snort.conf and installed all the source files
>  > > > > > > for snort, barnyard2, daq...
>  > > > > > > The problem is when I run the snort from the console, I can see that it
>  > > > > > > is working fine but when I run the snort to read the snort.conf it
>  > > > > > > doesn't save the log file at all
>  > > > > > >
>  > > > > > > /usr/local/bin/snort -A full -b -d -D -i eth0 -u snort -g snort -c
>  > > > > > > /etc/snort/snort.conf -l /var/log/snort
>  > > > > > >
>  > > > > > > and off course since there is no log files, barnyard2 read an empty
> file
>  > > > > > > and does not transfer it so mysql
>  > > > > > >
>  > > > > > > I am using SUSE Linux Enterprise 11 SP1 64bit. Realy need your help
> with
>  > > > > > > this one
>  > > > > > >
>  > > > > > > Thanks
>  >
>  >
>  >
>  > --
>  > NOTE: No off-list assistance is given without prior approval.
>  > Please keep mailing list traffic on the list unless
>  > private contact is specifically requested and granted.
>  >
>  > ------------------------------------------------------------------------------
>  > See everything from the browser to the database with AppDynamics
>  > Get end-to-end visibility with application monitoring from AppDynamics
>  > Isolate bottlenecks and diagnose root cause in seconds.
>  > Start your free trial of AppDynamics Pro today!
>  > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>  > _______________________________________________
>  > Snort-users mailing list
>  > Snort-users at lists.sourceforge.net
>  > Go to this URL to change user options or unsubscribe:
>  > https://lists.sourceforge.net/lists/listinfo/snort-users
>  > Snort-users list archive:
>  > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>  >
>  > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list