[Snort-users] no IDS logs from snort

Kevin Thomas axel2078 at ...11827...
Sat Mar 9 00:02:51 EST 2013


Here is a little more information.  This is what I get when I run a test 
against the snort.conf file:
-----snip----==
Initialization Complete ==--

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.4 GRE (Build 40)
    ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
            Using libpcap version 1.0.0
            Using PCRE version: 8.31 2012-07-06
            Using ZLIB version: 1.2.7----
------snip------
Snort successfully validated the configuration!
Snort exiting

Here is a snippet from /var/log/messages.

Mar  6 23:39:06 ipfire snort[26313]: Log directory = /var/log/snort
Mar  6 23:39:09 ipfire snort[26313]:       Memcap used for logging URI 
and Hostname: 150994944
Mar  6 23:39:16 ipfire snort[26313]:     Max number of dialogs in a 
session: 4 (Default)
Mar  6 23:39:20 ipfire snort[26313]: Rule application order: 
activation->dynamic->pass->drop->sdrop->reject->alert->log

Anyone have any idea why snort isn't writing to the log files?

Kevin


On 3/8/2013 4:44 PM, Kevin Thomas wrote:
> I posted an email about this on March 6th, but for brevity's sake, I'll just rehash the important stuff:
>
> - snort isn't logging anything, but it is running.
> - it is creating empty files
> - snort version is 2.9.4 and snort.conf is version 2.9.1.1
> - system was installed (snort activated) around mid-Feb.)
>
> These is the result from ps -ef:
>
> /usr/sbin/snort -c /etc/snort/snort.conf -i red0 -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run/
>
> This the contents of my /var/log/snort directory.  As you can see, it's creating files, but they are all empty.
>
> -rw-r--r-- 1 root root  0 2013-03-03 00:01 alert
> -rw-r--r-- 1 root root 20 2013-03-03 00:01 alert.1.gz
> -rw-r--r-- 1 root root 20 2013-02-24 00:01 alert.2.gz
> -rw-r--r-- 1 root root 20 2013-02-17 00:01 alert.3.gz
> -rw-r--r-- 1 root root 20 2013-02-03 00:02 alert.5.gz
> -rw-r--r-- 1 root root 24 2013-02-10 10:27 snort.log.1360513061
> -rw-r--r-- 1 root root  0 2013-02-10 18:29 snort.log.1360542580
> -rw-r--r-- 1 root root  0 2013-03-02 14:01 snort.log.1362254506
> -rw-r--r-- 1 root root  0 2013-03-02 14:59 snort.log.1362257974
> -rw-r--r-- 1 root root  0 2013-03-07 00:03 snort.log.1362636207
>
> These are all the snort files on my system:
>
> [root at ...16131... snort]# find / -name snort
> /etc/snort
> /etc/rc.d/init.d/snort
> /usr/sbin/snort
> /usr/lib/snort
> /var/log/snort
> /var/ipfire/snort
>
> This is the contents of the /etc/snort directory.  The files owned by root:root were created by me.
>
> -rw-r--r-- 1 root   root      152 2013-03-06 18:13 readme.txt
> drwxr-xr-x 2 nobody nobody  12288 2013-03-06 23:37 rules
> -rw-r--r-- 1 nobody nobody  19506 2013-03-06 23:57 snort.conf
> -rw-r--r-- 1 nobody nobody  19506 2013-02-16 11:03 snort.conf.orig
> -rwxr-xr-x 1 root   root       73 2013-03-06 18:38 snort-test.sh
> -rwxr-xr-x 1 root   root       29 2013-03-07 00:01 start.sh
> -rwxr-xr-x 1 root   root       28 2013-03-07 00:02 stop.sh
> -rw-r--r-- 1 nobody nobody 160606 2013-02-16 11:03 unicode.map
> -rw-r--r-- 1 root   root      104 2013-03-07 00:03 vars
>
> Someone asked me in a separate email what my logging/output settings in snort.conf were.  I think this is it.  If not, let me know.
>
>
> # config logdir:
> (this line is blank - nothing here)
>
> #############################
>
> # Step #6: Configure output plugins
> # For more information, see Snort Manual, Configuring Snort - Output Modules
> ###################################################
>
> # unified2
> # Recommended for most installs
> # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
>
> # Additional configuration for specific types of installs
> # output alert_unified2: filename snort.alert, limit 128, nostamp
> # output log_unified2: filename snort.log, limit 128, nostamp
>
> # syslog
> # output alert_syslog: LOG_AUTH LOG_ALERT
>
> # pcap
> # output log_tcpdump: tcpdump.log
>
> # database
> # output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
> # output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
>
> # prelude
> # output alert_prelude
>
> # metadata reference data.  do not modify these lines
> include /etc/snort/rules/classification.config
> include /etc/snort/rules/reference.config
>
> I think I read somewhere else that the variables below should say vars and not ipvars if you are not using IPv6 in your environment, which I am not.
>
> # taken from /etc/snort vars
> #ipvar HOME_NET any
>
> # Set up the external network addresses. Leave as "any" in most situations
> ipvar EXTERNAL_NET any
>
> # List of DNS servers on your network
> #ipvar DNS_SERVERS $HOME_NET
>
> # List of SMTP servers on your network
> ipvar SMTP_SERVERS $HOME_NET
>
> # List of web servers on your network
> ipvar HTTP_SERVERS $HOME_NET
>
> # List of sql servers on your network
> ipvar SQL_SERVERS $HOME_NET
>
> # List of telnet servers on your network
> ipvar TELNET_SERVERS $HOME_NET
>
> # List of ssh servers on your network
> ipvar SSH_SERVERS $HOME_NET
>
> # List of ftp servers on your network
> ipvar FTP_SERVERS $HOME_NET
>
> Any help you guys could provide with this would be most appreciated.  Thank you.
>
> Kevin
>
>
>
>





More information about the Snort-users mailing list