[Snort-users] First time snorting ... ERROR: The dynamic detection library ...
wkitty42 at ...14940...
Fri Nov 15 12:15:20 EST 2013
On 11/15/2013 8:28 AM, Alan McKay wrote:
> On Thu, Nov 14, 2013 at 7:41 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>> ok... try adding "-k none" before your "-c" or after your "eth0"...
> I did that and still no luck - still empty pcap files
>> now we need to see the rest of the output when you shut down snort... that will
>> give us the statistics of traffic that it has seen, if any at all...
> I've updated this with the shutdown info.
*** Caught Int-Signal
Run time for packet processing was 245.17417 seconds
Snort processed 14030 packets.
Snort ran for 0 days 0 hours 4 minutes 5 seconds
Packet I/O Totals:
Analyzed: 14030 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
this shows that your snort IS seeing traffic and analyzing it... at this point,
i would try what i posted about some time back... let me see if i can find the
post and paste it here for you... i probably should create a FAQ entry if one
doesn't already cover this test...
found one of them ;)
> Why snort is not logging?
you mean like alerting on any traffic? sure... we use the following rules in a
file named local-test.rules... just like local.rules, put it in place with the
proper permissions, add it to your snort.conf and restart snort... only let it
run a minute because it can generate thousands of alerts per second depending on
your traffic and your machine's capabilities... then edit your snort.conf to
comment it out or remove it and restart your snort... then you can look at your
alert and log files to see if traffic was recorded... if it was, then things are
working properly... if it was not, then we have to look deeper...
----- snip -----
# The rules in this file are only to test a snort installation to see if it is
# seeing any traffic at all. These rules should NOT be used all the time. Once
# tested and working, this rule file should be commented out in your snort.conf
# so that it is not used.
# LOCAL TEST RULES
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound";
classtype:tcp-connection; sid:1; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound";
classtype:tcp-connection; sid:2; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound";
classtype:unknown; sid:3; rev:1;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound";
classtype:unknown; sid:4; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound";
classtype:misc-activity; sid:5; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound";
classtype:misc-activity; sid:6; rev:1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound";
classtype:icmp-event; sid:7; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound";
classtype:icmp-event; sid:8; rev:1;)
----- snip -----
[time returns to the present]
> While it was running I did
> a couple of "nmap -O" against it from another machine on the internet
> (my home server) and also did an infinite loop trying to ssh into it
> and kept getting repeated errors about publickey ... so both of those
> should have triggered something no?
no, not unless there was something about those packets to trigger an alert rule...
try the above and see if any traffic at all is logged... it should be and you
shouldn't have to try to do anything specific other than simply accessing that
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-users