[Snort-users] no IDS logs from snort

Kevin Thomas kpt2078 at ...11827...
Fri Mar 8 17:44:13 EST 2013


I posted an email about this on March 6th, but for brevity's sake, I'll just rehash the important stuff:

- snort isn't logging anything, but it is running.  
- it is creating empty files
- snort version is 2.9.4 and snort.conf is version 2.9.1.1
- system was installed (snort activated) around mid-Feb.)

These is the result from ps -ef:

/usr/sbin/snort -c /etc/snort/snort.conf -i red0 -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run/

This the contents of my /var/log/snort directory.  As you can see, it's creating files, but they are all empty.

-rw-r--r-- 1 root root  0 2013-03-03 00:01 alert
-rw-r--r-- 1 root root 20 2013-03-03 00:01 alert.1.gz
-rw-r--r-- 1 root root 20 2013-02-24 00:01 alert.2.gz
-rw-r--r-- 1 root root 20 2013-02-17 00:01 alert.3.gz
-rw-r--r-- 1 root root 20 2013-02-03 00:02 alert.5.gz
-rw-r--r-- 1 root root 24 2013-02-10 10:27 snort.log.1360513061
-rw-r--r-- 1 root root  0 2013-02-10 18:29 snort.log.1360542580
-rw-r--r-- 1 root root  0 2013-03-02 14:01 snort.log.1362254506
-rw-r--r-- 1 root root  0 2013-03-02 14:59 snort.log.1362257974
-rw-r--r-- 1 root root  0 2013-03-07 00:03 snort.log.1362636207

These are all the snort files on my system:

[root at ...16131... snort]# find / -name snort
/etc/snort
/etc/rc.d/init.d/snort
/usr/sbin/snort
/usr/lib/snort
/var/log/snort
/var/ipfire/snort

This is the contents of the /etc/snort directory.  The files owned by root:root were created by me.

-rw-r--r-- 1 root   root      152 2013-03-06 18:13 readme.txt
drwxr-xr-x 2 nobody nobody  12288 2013-03-06 23:37 rules
-rw-r--r-- 1 nobody nobody  19506 2013-03-06 23:57 snort.conf
-rw-r--r-- 1 nobody nobody  19506 2013-02-16 11:03 snort.conf.orig
-rwxr-xr-x 1 root   root       73 2013-03-06 18:38 snort-test.sh
-rwxr-xr-x 1 root   root       29 2013-03-07 00:01 start.sh
-rwxr-xr-x 1 root   root       28 2013-03-07 00:02 stop.sh
-rw-r--r-- 1 nobody nobody 160606 2013-02-16 11:03 unicode.map
-rw-r--r-- 1 root   root      104 2013-03-07 00:03 vars

Someone asked me in a separate email what my logging/output settings in snort.conf were.  I think this is it.  If not, let me know.


# config logdir:
(this line is blank - nothing here)

#############################

# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################

# unified2 
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp 

# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

# database
# output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
# output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>

# prelude
# output alert_prelude

# metadata reference data.  do not modify these lines
include /etc/snort/rules/classification.config
include /etc/snort/rules/reference.config

I think I read somewhere else that the variables below should say vars and not ipvars if you are not using IPv6 in your environment, which I am not.

# taken from /etc/snort vars
#ipvar HOME_NET any

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any

# List of DNS servers on your network 
#ipvar DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
ipvar SMTP_SERVERS $HOME_NET

# List of web servers on your network
ipvar HTTP_SERVERS $HOME_NET

# List of sql servers on your network 
ipvar SQL_SERVERS $HOME_NET

# List of telnet servers on your network
ipvar TELNET_SERVERS $HOME_NET

# List of ssh servers on your network
ipvar SSH_SERVERS $HOME_NET

# List of ftp servers on your network
ipvar FTP_SERVERS $HOME_NET

Any help you guys could provide with this would be most appreciated.  Thank you.

Kevin








More information about the Snort-users mailing list