[Snort-users] no IDS logs from snort

Ray Caparros arcy24 at ...11827...
Sat Mar 9 14:23:27 EST 2013


Kevin,

Looking at your config file, none of your output plugins are active. I
would at least turn on syslog or the log_tcpdump.log. Hope this helps!

-Ray


On Sat, Mar 9, 2013 at 12:02 AM, Kevin Thomas <axel2078 at ...11827...> wrote:

> Here is a little more information.  This is what I get when I run a test
> against the snort.conf file:
> -----snip----==
> Initialization Complete ==--
>
>     ,,_     -*> Snort! <*-
>    o"  )~   Version 2.9.4 GRE (Build 40)
>     ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>             Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>             Using libpcap version 1.0.0
>             Using PCRE version: 8.31 2012-07-06
>             Using ZLIB version: 1.2.7----
> ------snip------
> Snort successfully validated the configuration!
> Snort exiting
>
> Here is a snippet from /var/log/messages.
>
> Mar  6 23:39:06 ipfire snort[26313]: Log directory = /var/log/snort
> Mar  6 23:39:09 ipfire snort[26313]:       Memcap used for logging URI
> and Hostname: 150994944
> Mar  6 23:39:16 ipfire snort[26313]:     Max number of dialogs in a
> session: 4 (Default)
> Mar  6 23:39:20 ipfire snort[26313]: Rule application order:
> activation->dynamic->pass->drop->sdrop->reject->alert->log
>
> Anyone have any idea why snort isn't writing to the log files?
>
> Kevin
>
>
> On 3/8/2013 4:44 PM, Kevin Thomas wrote:
> > I posted an email about this on March 6th, but for brevity's sake, I'll
> just rehash the important stuff:
> >
> > - snort isn't logging anything, but it is running.
> > - it is creating empty files
> > - snort version is 2.9.4 and snort.conf is version 2.9.1.1
> > - system was installed (snort activated) around mid-Feb.)
> >
> > These is the result from ps -ef:
> >
> > /usr/sbin/snort -c /etc/snort/snort.conf -i red0 -D -l /var/log/snort
> --create-pidfile --nolock-pidfile --pid-path /var/run/
> >
> > This the contents of my /var/log/snort directory.  As you can see, it's
> creating files, but they are all empty.
> >
> > -rw-r--r-- 1 root root  0 2013-03-03 00:01 alert
> > -rw-r--r-- 1 root root 20 2013-03-03 00:01 alert.1.gz
> > -rw-r--r-- 1 root root 20 2013-02-24 00:01 alert.2.gz
> > -rw-r--r-- 1 root root 20 2013-02-17 00:01 alert.3.gz
> > -rw-r--r-- 1 root root 20 2013-02-03 00:02 alert.5.gz
> > -rw-r--r-- 1 root root 24 2013-02-10 10:27 snort.log.1360513061
> > -rw-r--r-- 1 root root  0 2013-02-10 18:29 snort.log.1360542580
> > -rw-r--r-- 1 root root  0 2013-03-02 14:01 snort.log.1362254506
> > -rw-r--r-- 1 root root  0 2013-03-02 14:59 snort.log.1362257974
> > -rw-r--r-- 1 root root  0 2013-03-07 00:03 snort.log.1362636207
> >
> > These are all the snort files on my system:
> >
> > [root at ...16131... snort]# find / -name snort
> > /etc/snort
> > /etc/rc.d/init.d/snort
> > /usr/sbin/snort
> > /usr/lib/snort
> > /var/log/snort
> > /var/ipfire/snort
> >
> > This is the contents of the /etc/snort directory.  The files owned by
> root:root were created by me.
> >
> > -rw-r--r-- 1 root   root      152 2013-03-06 18:13 readme.txt
> > drwxr-xr-x 2 nobody nobody  12288 2013-03-06 23:37 rules
> > -rw-r--r-- 1 nobody nobody  19506 2013-03-06 23:57 snort.conf
> > -rw-r--r-- 1 nobody nobody  19506 2013-02-16 11:03 snort.conf.orig
> > -rwxr-xr-x 1 root   root       73 2013-03-06 18:38 snort-test.sh
> > -rwxr-xr-x 1 root   root       29 2013-03-07 00:01 start.sh
> > -rwxr-xr-x 1 root   root       28 2013-03-07 00:02 stop.sh
> > -rw-r--r-- 1 nobody nobody 160606 2013-02-16 11:03 unicode.map
> > -rw-r--r-- 1 root   root      104 2013-03-07 00:03 vars
> >
> > Someone asked me in a separate email what my logging/output settings in
> snort.conf were.  I think this is it.  If not, let me know.
> >
> >
> > # config logdir:
> > (this line is blank - nothing here)
> >
> > #############################
> >
> > # Step #6: Configure output plugins
> > # For more information, see Snort Manual, Configuring Snort - Output
> Modules
> > ###################################################
> >
> > # unified2
> > # Recommended for most installs
> > # output unified2: filename merged.log, limit 128, nostamp,
> mpls_event_types, vlan_event_types
> >
> > # Additional configuration for specific types of installs
> > # output alert_unified2: filename snort.alert, limit 128, nostamp
> > # output log_unified2: filename snort.log, limit 128, nostamp
> >
> > # syslog
> > # output alert_syslog: LOG_AUTH LOG_ALERT
> >
> > # pcap
> > # output log_tcpdump: tcpdump.log
> >
> > # database
> > # output database: alert, <db_type>, user=<username> password=<password>
> test dbname=<name> host=<hostname>
> > # output database: log, <db_type>, user=<username> password=<password>
> test dbname=<name> host=<hostname>
> >
> > # prelude
> > # output alert_prelude
> >
> > # metadata reference data.  do not modify these lines
> > include /etc/snort/rules/classification.config
> > include /etc/snort/rules/reference.config
> >
> > I think I read somewhere else that the variables below should say vars
> and not ipvars if you are not using IPv6 in your environment, which I am
> not.
> >
> > # taken from /etc/snort vars
> > #ipvar HOME_NET any
> >
> > # Set up the external network addresses. Leave as "any" in most
> situations
> > ipvar EXTERNAL_NET any
> >
> > # List of DNS servers on your network
> > #ipvar DNS_SERVERS $HOME_NET
> >
> > # List of SMTP servers on your network
> > ipvar SMTP_SERVERS $HOME_NET
> >
> > # List of web servers on your network
> > ipvar HTTP_SERVERS $HOME_NET
> >
> > # List of sql servers on your network
> > ipvar SQL_SERVERS $HOME_NET
> >
> > # List of telnet servers on your network
> > ipvar TELNET_SERVERS $HOME_NET
> >
> > # List of ssh servers on your network
> > ipvar SSH_SERVERS $HOME_NET
> >
> > # List of ftp servers on your network
> > ipvar FTP_SERVERS $HOME_NET
> >
> > Any help you guys could provide with this would be most appreciated.
>  Thank you.
> >
> > Kevin
> >
> >
> >
> >
>
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130309/a6cdec9d/attachment.html>


More information about the Snort-users mailing list