[Snort-users] FW: snort 2.9.4.6 not logging

Maged Shenouda maged67 at ...125...
Tue Jul 23 08:52:56 EDT 2013


 
I copied the test rules to local_test.rules and added the local_test.rules to snort.conf then restarted snortThis time it is logging a lot of alerts, so what is wrong with my configurations??



 
> Date: Fri, 19 Jul 2013 14:22:37 -0400
> From: wkitty42 at ...14940...
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> 
> On 7/19/2013 13:37, Maged Shenouda wrote:
> >
> >
> >  > Date: Fri, 19 Jul 2013 13:16:21 -0400
> >  > From: wkitty42 at ...14940...
> >  > To: snort-users at lists.sourceforge.net
> >  > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> >  >
> >  > On 7/19/2013 09:30, Maged Shenouda wrote:
> >  > > another updat, I think the black_list.rules file format is wrong. I changed the
> >  > > file name back as it was and cleared the black_list.rules and restarted
> > snort, I
> >  > > didn't see that error in the system log.
> >  >
> >  > what do you mean you "cleared" it? which black list file? black_list.rules or
> >  > blacklist.rules?
> >  >
> > The black_list.rules was having the same contant as blacklist.rules
> > I cleared the black_list.rules file, there is nothing in it now, it is blank
> 
> ahh! ok... what is the content of the white_list.rules file? is it just the VRT 
> header? if so, i'd copy it to the black_list.rules file so that both contain the 
> same header and explanation of what they are... The white_list.rules and the black_list.rules are both blank
> 
> these two are also the ones that i would rename to RPP_* to keep them separated 
> from the blacklist.rules file...
> 
> >  > > But back again to the original issue, it is still not logging, when I restarted
> >  > > the snort, it created the file in /var/log/nort but it is 0 byte not recording
> >  > > anything?
> >  >
> >  > does it see any traffic if you start it directly? stop the daemon instance and
> >  > then run it straight
> >  >
> >  > snort
> >  >
> > this one works fine
> 
> so it spits out data about every packet it sees... ok...
> 
> >  > if it starts spitting data all over the screen, then it is seeing traffic...
> >  >
> >  > then try it like this...
> >  >
> >  > snort -c /etc/snort/snort.conf
> >  >
> > this one, here is the last couple of lines after it start then that's it
> > Preprocessor Object: SF_GTP Version 1.1 <Build 1>
> > Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
> > Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
> > Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
> > Preprocessor Object: SF_POP Version 1.0 <Build 1>
> > Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
> > Preprocessor Object: SF_SIP Version 1.1 <Build 1>
> > Commencing packet processing (pid=12530)
> 
> that is fine... it should be logging if there is any traffic for it to alert on...
> 
> >  > if it starts spitting data all over the screen, then it is seeing traffic with
> >  > your config...
> >  >
> >  > if either of the above fail, try adding "-k none" to the command line...
> >  >
> >  > snort -k none
> > this one works fine
> 
> ok... same as above...
> 
> >  > OR
> >  >
> >  > snort -c /etc/snort/snort.conf -k none
> >  >
> > this one, not working same result
> > Preprocessor Object: SF_GTP Version 1.1 <Build 1>
> > Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
> > Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
> > Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
> > Preprocessor Object: SF_POP Version 1.0 <Build 1>
> > Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
> > Preprocessor Object: SF_SIP Version 1.1 <Build 1>
> > Commencing packet processing (pid=12530)
> >  From what I see, that snort is not working when it start loading the snort.conf
> > , any reason for that?
> 
> actually, my fault in the explanation because i was thinking (without actually 
> testing at that point) that it would spit out data on the screen of the traffic 
> it saw and alerted on... i wasn't thinking about the output processors defined 
> in snort.conf taking over the output... sorry about that...
> 
> so... both of the above operations appear to be alright... but, you are still 
> not getting any alerts logged, right?
> 
> if so then try this which i just posted for someone else a few days ago...
> 
> [quote]
> you mean like alerting on any traffic? sure... we use the following rules in a 
> file named local-test.rules... just like local.rules, put it in place with the 
> proper permissions, add it to your snort.conf and restart snort... only let it 
> run a minute because it can generate thousands of alerts per second depending on 
> your traffic and your machine's capabilities... then edit your snort.conf to 
> comment it out or remove it and restart your snort...
> 
> ----- snip -----
> #
> # The rules in this file are only to test a snort installation to see if it is 
> seeing any traffic at all.
> # These rules should NOT be used all the time. Once tested and working, this 
> rule file should be commented
> # out in your snort.conf so that it is not used.
> #
> #------------------
> # LOCAL TEST RULES
> #------------------
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; 
> classtype:tcp-connection; sid:1; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; 
> classtype:tcp-connection; sid:2; rev:1;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; 
> classtype:unknown; sid:3; rev:1;)
> alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; 
> classtype:unknown; sid:4; rev:1;)
> alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; 
> classtype:misc-activity; sid:5; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; 
> classtype:misc-activity; sid:6; rev:1;)
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; 
> classtype:icmp-event; sid:7; rev:1;)
> alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; 
> classtype:icmp-event; sid:8; rev:1;)
> 
> ----- snip -----
> [/quote] I copied the above rules to local.rules and added the local.rules to snort.conf then restarted snortThis time it is logging a lot of alerts, so what is wrong with my configurations??
> 
> after doing the above, you should have all kinds of alerts because the above 
> rules simply log all TCP, UDP, IP, and ICMP inbound and outbound traffic so 
> pretty much any traffic should fire at least one of the above 8 rules...
> 
> >  > and see what happens... then we can go from there...
> >  >
> >  > > > Date: Thu, 18 Jul 2013 20:47:02 -0400
> >  > > > From: wkitty42 at ...14940...
> >  > > > To: snort-users at lists.sourceforge.net
> >  > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> >  > > >
> >  > > > On 7/18/2013 14:28, Maged Shenouda wrote:
> >  > > > > Here is the snort.conf file configuration
> >  > > > >
> >  > > > > ipvar HOME_NET 192.168.0.0/24
> >  > > > > ipvar EXTERNAL_NET any
> >  > > > > ipvar SMTP_SERVERS $HOME_NET
> >  > > > >
> >  > > > > and so on,,,, don't think the format is worng?
> >  > > >
> >  > > > you are correct... but wait! what are the names of your blacklist and
> > whitelist
> >  > > > files as defined for the reputation processor? there is known confusion
> > between
> >  > > > (EG:) GID:1 blacklist.rules and reputation processor black_list.rules
> > files and
> >  > > > that is exacerbated when both sets reside in the same directory...
> >  > > >
> >  > > > the ones for the reputation processor are in simple IP and/or IP/CIDR format
> >  > > > whereas the others are in the standard text rules format... looking closer at
> >  > > > the error message, it specifically states "invalid IP address" which
> > leads me to
> >  > > > believe that the file name(s) for your reputation processor are incorrect...
> >  > > >
> >  > > > so, check your snort.conf at the reputation processor and see what those file
> >  > > > names are that are specified there... then make sure that those names are
> > /not/
> >  > > > included in the list of rules files at the bottom of snort.conf...
> >  > > >
> >  > > > [HINT: more specifically, one set of file names has an underscore '_' in
> > it and
> >  > > > the other does not... watch for this and do not get confused by it...
> >  > > >
> >  > > > RECOMMENDATION: name the files specific to the reputation processor to
> > something
> >  > > > significantly different than the normal textual blacklist rules file... maybe
> >  > > > RPP_black.rules and RPP_white.rules where RPP stands for Reputation
> >  > > > Preprocessor... anything that is different from the others and will alleviate
> >  > > > the confusion]
> >  > > >
> >  > > >
> >  > > > > > Date: Thu, 18 Jul 2013 13:55:36 -0400
> >  > > > > > From: wkitty42 at ...14940...
> >  > > > > > To: snort-users at lists.sourceforge.net
> >  > > > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> >  > > > > >
> >  > > > > > On 7/18/2013 13:38, Maged Shenouda wrote:
> >  > > > > > > Snort logging still not working evev after rmoving the -A -b parameters
> >  > > > > > >
> >  > > > > > > Any other clue?
> >  > > > > >
> >  > > > > > looking at the reply below... what is your HOME_NET set to?? have you
> >  > > fixed it
> >  > > > > > to accurately cover your actual protected network(s)??
> >  > > > > >
> >  > > > > > >
> >  > > > >
> >  > >
> > --------------------------------------------------------------------------------
> >  > > > > > > From: jesler at ...1935...
> >  > > > > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> >  > > > > > > Date: Thu, 18 Jul 2013 11:55:25 -0400
> >  > > > > > > To: maged67 at ...125...
> >  > > > > > >
> >  > > > > > > No, it looks like you have something messed up in your HOME_NET
> >  > > > > > >
> >  > > > > > >
> >  > > > > > > On Jul 18, 2013, at 11:48 AM, Maged Shenouda <maged67 at ...391...25...
> >  > > > > > > <mailto:maged67 at ...125...>> wrote:
> >  > > > > > >
> >  > > > > > > Also when snort started, it checked the black list rules and here is
> >  > > part of
> >  > > > > > > system log
> >  > > > > > >
> >  > > > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing whitelist file
> >  > > > > /etc/snort/rules/white_list.rules
> >  > > > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Reputation entries loaded: 0,
> >  > > > > invalid: 0, re-defined: 0 (from file /etc/snort/rules/white_list.rules)
> >  > > > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing blacklist file
> >  > > > > /etc/snort/rules/black_list.rules
> >  > > > > > > Jul 18 11:17:29 mm-proxy snort[10868]: (22) => Invalid IP Address:
> > alert
> >  > > > > udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
> >  > > > > domaindatajunction.org <http://datajunction.org/> - Gauss ";
> > flow:to_server;
> >  > > > > byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|";
> >  > > fast_pattern:only;
> >  > > > > metadata:impact_flag red, policy balanced-ips drop, policy security-ips
> > drop,
> >  > > > > service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
> >  > > > >
> >  > >
> > reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
> >  > > > >
> >  > >
> > <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
> >  > > > > classtype:trojan-activity; sid:23802; rev:2;)
> >  > > > > > > Jul 18 11:17:29 mm-proxy snort[10868]: (23) => Invalid IP Address:
> > alert
> >  > > > > udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
> >  > > > > domainguest-access.net <http://guest-access.net/> - Gauss ";
> > flow:to_server;
> >  > > > > byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|";
> >  > > fast_pattern:only;
> >  > > > > metadata:impact_flag red, policy balanced-ips drop, policy security-ips
> > drop,
> >  > > > > service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
> >  > > > >
> >  > >
> > reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
> >  > > > >
> >  > >
> > <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
> >  > > > > classtype:trojan-activity; sid:23799; rev:2;)
> >  > > > > > >
> >  > > > > > > is there something wrong with the black list rules ??
> >  > > > > > >
> >  > > > > > >
> >  > > > >
> >  > >
> > --------------------------------------------------------------------------------
> >  > > > > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> >  > > > > > > From: jesler at ...1935... <mailto:jesler at ...1935...>
> >  > > > > > > Date: Wed, 17 Jul 2013 12:02:40 -0400
> >  > > > > > > CC: lists.sourceforge.net <http://lists.sourceforge.net>
> >  > > > > > > snort-users at lists.sourceforge.net
> >  > > <mailto:snort-users at lists.sourceforge.net>
> >  > > > > > > To: maged67 at ...125... <mailto:maged67 at ...125...>
> >  > > > > > >
> >  > > > > > > Remove your “-A full -b” from your command line. Those are
> > overriding your
> >  > > > > > > unified2 output line in your snort.conf.
> >  > > > > > >
> >  > > > > > >
> >  > > > > > > On Jul 17, 2013, at 11:19 AM, Maged Shenouda <maged67 at ...391...25...
> >  > > > > > > <mailto:maged67 at ...125...>> wrote:
> >  > > > > > >
> >  > > > > > > I properly configured the snort.conf and installed all the source files
> >  > > > > > > for snort, barnyard2, daq...
> >  > > > > > > The problem is when I run the snort from the console, I can see that it
> >  > > > > > > is working fine but when I run the snort to read the snort.conf it
> >  > > > > > > doesn't save the log file at all
> >  > > > > > >
> >  > > > > > > /usr/local/bin/snort -A full -b -d -D -i eth0 -u snort -g snort -c
> >  > > > > > > /etc/snort/snort.conf -l /var/log/snort
> >  > > > > > >
> >  > > > > > > and off course since there is no log files, barnyard2 read an empty
> > file
> >  > > > > > > and does not transfer it so mysql
> >  > > > > > >
> >  > > > > > > I am using SUSE Linux Enterprise 11 SP1 64bit. Realy need your help
> > with
> >  > > > > > > this one
> >  > > > > > >
> >  > > > > > > Thanks
> >  >
> >  >
> >  >
> >  > --
> >  > NOTE: No off-list assistance is given without prior approval.
> >  > Please keep mailing list traffic on the list unless
> >  > private contact is specifically requested and granted.
> >  >
> >  > ------------------------------------------------------------------------------
> >  > See everything from the browser to the database with AppDynamics
> >  > Get end-to-end visibility with application monitoring from AppDynamics
> >  > Isolate bottlenecks and diagnose root cause in seconds.
> >  > Start your free trial of AppDynamics Pro today!
> >  > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> >  > _______________________________________________
> >  > Snort-users mailing list
> >  > Snort-users at lists.sourceforge.net
> >  > Go to this URL to change user options or unsubscribe:
> >  > https://lists.sourceforge.net/lists/listinfo/snort-users
> >  > Snort-users list archive:
> >  > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >  >
> >  > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >
> >
> > ------------------------------------------------------------------------------
> > See everything from the browser to the database with AppDynamics
> > Get end-to-end visibility with application monitoring from AppDynamics
> > Isolate bottlenecks and diagnose root cause in seconds.
> > Start your free trial of AppDynamics Pro today!
> > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> -- 
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130723/7a48cacf/attachment.html>


More information about the Snort-users mailing list