[Snort-users] First time snorting ... ERROR: The dynamic detection library ...

waldo kitty wkitty42 at ...14940...
Fri Nov 15 12:15:20 EST 2013

On 11/15/2013 8:28 AM, Alan McKay wrote:
> On Thu, Nov 14, 2013 at 7:41 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>> ok... try adding "-k none" before your "-c" or after your "eth0"...
> I did that and still no luck - still empty pcap files
>> now we need to see the rest of the output when you shut down snort... that will
>> give us the statistics of traffic that it has seen, if any at all...
> I've updated this with the shutdown info.

*** Caught Int-Signal
Run time for packet processing was 245.17417 seconds
Snort processed 14030 packets.
Snort ran for 0 days 0 hours 4 minutes 5 seconds
    Pkts/min:         3507
    Pkts/sec:           57
Packet I/O Totals:
    Received:        14030
    Analyzed:        14030 (100.000%)
     Dropped:            0 (  0.000%)
    Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
    Injected:            0

this shows that your snort IS seeing traffic and analyzing it... at this point, 
i would try what i posted about some time back... let me see if i can find the 
post and paste it here for you... i probably should create a FAQ entry if one 
doesn't already cover this test...

[time passes]

found one of them ;)

 > Why snort is not logging?

you mean like alerting on any traffic? sure... we use the following rules in a 
file named local-test.rules... just like local.rules, put it in place with the 
proper permissions, add it to your snort.conf and restart snort... only let it 
run a minute because it can generate thousands of alerts per second depending on 
your traffic and your machine's capabilities... then edit your snort.conf to 
comment it out or remove it and restart your snort... then you can look at your 
alert and log files to see if traffic was recorded... if it was, then things are 
working properly... if it was not, then we have to look deeper...

----- snip -----
# The rules in this file are only to test a snort installation to see if it is
# seeing any traffic at all. These rules should NOT be used all the time. Once
# tested and working, this rule file should be commented out in your snort.conf
# so that it is not used.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; 
classtype:tcp-connection; sid:1; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; 
classtype:tcp-connection; sid:2; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; 
classtype:unknown; sid:3; rev:1;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; 
classtype:unknown; sid:4; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; 
classtype:misc-activity; sid:5; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; 
classtype:misc-activity; sid:6; rev:1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; 
classtype:icmp-event; sid:7; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; 
classtype:icmp-event; sid:8; rev:1;)

----- snip -----

[time returns to the present]

> While it was running I did
> a couple of "nmap -O" against it from another machine on the internet
> (my home server) and also did an infinite loop trying to ssh into it
> and kept getting repeated errors about publickey ... so both of those
> should have triggered something no?

no, not unless there was something about those packets to trigger an alert rule...

try the above and see if any traffic at all is logged... it should be and you 
shouldn't have to try to do anything specific other than simply accessing that 
machine ;)

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list