[Snort-users] no IDS logs from snort
wkitty42 at ...14940...
Sat Mar 9 14:46:45 EST 2013
On 3/9/2013 14:23, Ray Caparros wrote:
> Looking at your config file, none of your output plugins are active. I would at
> least turn on syslog or the log_tcpdump.log. Hope this helps!
i have /never/ defined any output plugins in snort... it has at least two
defaults... the first creates a plain ASCII text alert file and the second
creates a pcap file for each execution of snort... the contents are pcaps of
each packet of traffic that caused an alert to be written to the alert file...
this problem is related to something else... i've seen it numerous other times
in another firewall project and it has only recently started with the 2.9 series
in our case, we've found that the conf file distributed with our compile of
snort contains dotted paths but we don't know "where we are" when those paths
are encountered... snort runs but doesn't log... we change those dotted paths to
fully defined paths, restart snort and then things seem to start working... the
dotted paths we have seen are not related to the placement of the log files...
we're not even certain that these dotted paths are the problem but we know that
we change them in all cases when they appear... we fixed the dotted paths in our
distributed conf file and i don't recall recent reports since then...
but not a lot of folks use snort, either... many want something like an
anti-virus tool that fits all systems and networks... they don't want to learn
why the rules are alerting which leads them deeper into networking mechanics
than they care to go... they don't want to have to deal with blocks and figuring
out which rule caused such a block and then to decide which one of several
methods would be the best to use to "fix" that rule... sometimes you might just
completely disable a rule in snort... or you may tell your reactive control
tools to ignore those alerts from that rule... you might want something more
refined where that rule is applied to all traffic except that from certain
sites... snort's threshold file may cover this for you or, again, you may be
able to handle it in your reactive control tool... that's only 2 scenarios with
at least two options each...
NOTE: i do not work for VRT or sourcefire... the conf i speak of distributing
above is for snort as used on another product...
> On Sat, Mar 9, 2013 at 12:02 AM, Kevin Thomas <axel2078 at ...11827...
> <mailto:axel2078 at ...11827...>> wrote:
> Here is a little more information. This is what I get when I run a test
> against the snort.conf file:
> Initialization Complete ==--
> ,,_ -*> Snort! <*-
> o" )~ Version 2.9.4 GRE (Build 40)
> '''' By Martin Roesch & The Snort Team:
> Copyright (C) 1998-2012 Sourcefire, Inc., et al.
> Using libpcap version 1.0.0
> Using PCRE version: 8.31 2012-07-06
> Using ZLIB version: 1.2.7----
> Snort successfully validated the configuration!
> Snort exiting
> Here is a snippet from /var/log/messages.
> Mar 6 23:39:06 ipfire snort: Log directory = /var/log/snort
> Mar 6 23:39:09 ipfire snort: Memcap used for logging URI
> and Hostname: 150994944
> Mar 6 23:39:16 ipfire snort: Max number of dialogs in a
> session: 4 (Default)
> Mar 6 23:39:20 ipfire snort: Rule application order:
> Anyone have any idea why snort isn't writing to the log files?
> On 3/8/2013 4:44 PM, Kevin Thomas wrote:
> > I posted an email about this on March 6th, but for brevity's sake, I'll
> just rehash the important stuff:
> > - snort isn't logging anything, but it is running.
> > - it is creating empty files
> > - snort version is 2.9.4 and snort.conf is version 184.108.40.206
> > - system was installed (snort activated) around mid-Feb.)
> > These is the result from ps -ef:
> > /usr/sbin/snort -c /etc/snort/snort.conf -i red0 -D -l /var/log/snort
> --create-pidfile --nolock-pidfile --pid-path /var/run/
> > This the contents of my /var/log/snort directory. As you can see, it's
> creating files, but they are all empty.
> > -rw-r--r-- 1 root root 0 2013-03-03 00:01 alert
> > -rw-r--r-- 1 root root 20 2013-03-03 00:01 alert.1.gz
> > -rw-r--r-- 1 root root 20 2013-02-24 00:01 alert.2.gz
> > -rw-r--r-- 1 root root 20 2013-02-17 00:01 alert.3.gz
> > -rw-r--r-- 1 root root 20 2013-02-03 00:02 alert.5.gz
> > -rw-r--r-- 1 root root 24 2013-02-10 10:27 snort.log.1360513061
> > -rw-r--r-- 1 root root 0 2013-02-10 18:29 snort.log.1360542580
> > -rw-r--r-- 1 root root 0 2013-03-02 14:01 snort.log.1362254506
> > -rw-r--r-- 1 root root 0 2013-03-02 14:59 snort.log.1362257974
> > -rw-r--r-- 1 root root 0 2013-03-07 00:03 snort.log.1362636207
> > These are all the snort files on my system:
> > [root at ...16131... snort]# find / -name snort
> > /etc/snort
> > /etc/rc.d/init.d/snort
> > /usr/sbin/snort
> > /usr/lib/snort
> > /var/log/snort
> > /var/ipfire/snort
> > This is the contents of the /etc/snort directory. The files owned by
> root:root were created by me.
> > -rw-r--r-- 1 root root 152 2013-03-06 18:13 readme.txt
> > drwxr-xr-x 2 nobody nobody 12288 2013-03-06 23:37 rules
> > -rw-r--r-- 1 nobody nobody 19506 2013-03-06 23:57 snort.conf
> > -rw-r--r-- 1 nobody nobody 19506 2013-02-16 11:03 snort.conf.orig
> > -rwxr-xr-x 1 root root 73 2013-03-06 18:38 snort-test.sh
> > -rwxr-xr-x 1 root root 29 2013-03-07 00:01 start.sh
> > -rwxr-xr-x 1 root root 28 2013-03-07 00:02 stop.sh
> > -rw-r--r-- 1 nobody nobody 160606 2013-02-16 11:03 unicode.map
> > -rw-r--r-- 1 root root 104 2013-03-07 00:03 vars
> > Someone asked me in a separate email what my logging/output settings in
> snort.conf were. I think this is it. If not, let me know.
> > # config logdir:
> > (this line is blank - nothing here)
> > #############################
> > # Step #6: Configure output plugins
> > # For more information, see Snort Manual, Configuring Snort - Output Modules
> > ###################################################
> > # unified2
> > # Recommended for most installs
> > # output unified2: filename merged.log, limit 128, nostamp,
> mpls_event_types, vlan_event_types
> > # Additional configuration for specific types of installs
> > # output alert_unified2: filename snort.alert, limit 128, nostamp
> > # output log_unified2: filename snort.log, limit 128, nostamp
> > # syslog
> > # output alert_syslog: LOG_AUTH LOG_ALERT
> > # pcap
> > # output log_tcpdump: tcpdump.log
> > # database
> > # output database: alert, <db_type>, user=<username> password=<password>
> test dbname=<name> host=<hostname>
> > # output database: log, <db_type>, user=<username> password=<password>
> test dbname=<name> host=<hostname>
> > # prelude
> > # output alert_prelude
> > # metadata reference data. do not modify these lines
> > include /etc/snort/rules/classification.config
> > include /etc/snort/rules/reference.config
> > I think I read somewhere else that the variables below should say vars
> and not ipvars if you are not using IPv6 in your environment, which I am not.
> > # taken from /etc/snort vars
> > #ipvar HOME_NET any
> > # Set up the external network addresses. Leave as "any" in most situations
> > ipvar EXTERNAL_NET any
> > # List of DNS servers on your network
> > #ipvar DNS_SERVERS $HOME_NET
> > # List of SMTP servers on your network
> > ipvar SMTP_SERVERS $HOME_NET
> > # List of web servers on your network
> > ipvar HTTP_SERVERS $HOME_NET
> > # List of sql servers on your network
> > ipvar SQL_SERVERS $HOME_NET
> > # List of telnet servers on your network
> > ipvar TELNET_SERVERS $HOME_NET
> > # List of ssh servers on your network
> > ipvar SSH_SERVERS $HOME_NET
> > # List of ftp servers on your network
> > ipvar FTP_SERVERS $HOME_NET
> > Any help you guys could provide with this would be most appreciated.
> Thank you.
> > Kevin
More information about the Snort-users