[Snort-users] installation help

Sharif Uddin Sharif.Uddin at ...16962...
Thu Aug 28 05:30:22 EDT 2014


Thanks all for the advice, I guess it is running fine.

I would like to know if it is receiving alerts. I left a tail running on /var/log/messages and below is what I see today




Aug 27 19:01:01 snort systemd: Starting Session 5 of user root.
Aug 27 19:01:01 snort systemd: Started Session 5 of user root.
Aug 27 20:01:01 snort systemd: Starting Session 6 of user root.
Aug 27 20:01:01 snort systemd: Started Session 6 of user root.
Aug 27 21:01:01 snort systemd: Starting Session 7 of user root.
Aug 27 21:01:01 snort systemd: Started Session 7 of user root.
Aug 27 22:01:01 snort systemd: Starting Session 8 of user root.
Aug 27 22:01:01 snort systemd: Started Session 8 of user root.
Aug 27 22:11:22 snort dhclient[1061]: DHCPREQUEST on enp0s3 to 172.16.0.11 port 67 (xid=0x473f73dc)
Aug 27 22:11:22 snort NetworkManager: DHCPREQUEST on enp0s3 to 172.16.0.11 port 67 (xid=0x473f73dc)
Aug 27 22:11:22 snort dhclient[1061]: DHCPACK from 172.16.0.11 (xid=0x473f73dc)
Aug 27 22:11:22 snort NetworkManager: DHCPACK from 172.16.0.11 (xid=0x473f73dc)
Aug 27 22:11:22 snort NetworkManager[690]: <info> (enp0s3): DHCPv4 state changed reboot -> renew
Aug 27 22:11:22 snort NetworkManager[690]: <info>   address 172.16.1.157
Aug 27 22:11:22 snort NetworkManager[690]: <info>   plen 22 (255.255.252.0)
Aug 27 22:11:22 snort NetworkManager[690]: <info>   gateway 172.16.0.1
Aug 27 22:11:22 snort NetworkManager[690]: <info>   server identifier 172.16.0.11
Aug 27 22:11:22 snort NetworkManager[690]: <info>   lease time 43200
Aug 27 22:11:22 snort NetworkManager[690]: <info>   nameserver '172.16.0.11'
Aug 27 22:11:22 snort NetworkManager[690]: <info>   nameserver '172.16.0.15'
Aug 27 22:11:22 snort NetworkManager[690]: <info>   domain name 'uk.domain.com'
Aug 27 22:11:22 snort NetworkManager[690]: <info>   domain search 'uk. domain.com.'
Aug 27 22:11:22 snort NetworkManager[690]: <info>   domain search ' domain.com.'
Aug 27 22:11:22 snort NetworkManager[690]: <info>   domain search 'usa. domain.com.'
Aug 27 22:11:22 snort NetworkManager[690]: <info>   domain search 'houston.'
Aug 27 22:11:22 snort NetworkManager[690]: <info>   domain search 'cairo.'
Aug 27 22:11:22 snort dbus[580]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Aug 27 22:11:22 snort dbus-daemon: dbus[580]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Aug 27 22:11:22 snort dhclient[1061]: bound to 172.16.1.157 -- renewal in 20986 seconds.
Aug 27 22:11:22 snort NetworkManager: bound to 172.16.1.157 -- renewal in 20986 seconds.
Aug 27 22:11:22 snort systemd: Starting Network Manager Script Dispatcher Service...
Aug 27 22:11:22 snort dbus-daemon: dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Aug 27 22:11:22 snort dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Aug 27 22:11:22 snort systemd: Started Network Manager Script Dispatcher Service.
Aug 27 23:01:01 snort systemd: Starting Session 9 of user root.
Aug 27 23:01:01 snort systemd: Started Session 9 of user root.
Aug 28 00:01:01 snort systemd: Starting Session 10 of user root.
Aug 28 00:01:01 snort systemd: Started Session 10 of user root.
Aug 28 01:01:01 snort systemd: Starting Session 11 of user root.
Aug 28 01:01:01 snort systemd: Started Session 11 of user root.
Aug 28 02:01:01 snort systemd: Starting Session 12 of user root.
Aug 28 02:01:01 snort systemd: Started Session 12 of user root.
Aug 28 03:01:01 snort systemd: Starting Session 13 of user root.
Aug 28 03:01:01 snort systemd: Started Session 13 of user root.
Aug 28 04:01:01 snort systemd: Starting Session 14 of user root.
Aug 28 04:01:01 snort systemd: Started Session 14 of user root.
Aug 28 04:01:08 snort dhclient[1061]: DHCPREQUEST on enp0s3 to 172.16.0.11 port 67 (xid=0x473f73dc)
Aug 28 04:01:08 snort NetworkManager: DHCPREQUEST on enp0s3 to 172.16.0.11 port 67 (xid=0x473f73dc)
Aug 28 04:01:08 snort dhclient[1061]: DHCPACK from 172.16.0.11 (xid=0x473f73dc)
Aug 28 04:01:08 snort NetworkManager: DHCPACK from 172.16.0.11 (xid=0x473f73dc)
Aug 28 04:01:08 snort dhclient[1061]: bound to 172.16.1.157 -- renewal in 20219 seconds.
Aug 28 04:01:08 snort NetworkManager: bound to 172.16.1.157 -- renewal in 20219 seconds.
Aug 28 04:01:08 snort NetworkManager[690]: <info> (enp0s3): DHCPv4 state changed renew -> renew
Aug 28 04:01:08 snort NetworkManager[690]: <info>   address 172.16.1.157
Aug 28 04:01:08 snort NetworkManager[690]: <info>   plen 22 (255.255.252.0)
Aug 28 04:01:08 snort NetworkManager[690]: <info>   gateway 172.16.0.1
Aug 28 04:01:08 snort NetworkManager[690]: <info>   server identifier 172.16.0.11
Aug 28 04:01:08 snort NetworkManager[690]: <info>   lease time 43200
Aug 28 04:01:08 snort NetworkManager[690]: <info>   nameserver '172.16.0.11'
Aug 28 04:01:08 snort NetworkManager[690]: <info>   nameserver '172.16.0.15'
Aug 28 04:01:08 snort NetworkManager[690]: <info>   domain name 'uk.spectrumasa.com'
Aug 28 04:01:08 snort NetworkManager[690]: <info>   domain search 'uk.spectrumasa.com.'
Aug 28 04:01:08 snort NetworkManager[690]: <info>   domain search 'spectrumasa.com.'
Aug 28 04:01:08 snort NetworkManager[690]: <info>   domain search 'usa.spectrumasa.com.'
Aug 28 04:01:08 snort NetworkManager[690]: <info>   domain search 'houston.'
Aug 28 04:01:08 snort NetworkManager[690]: <info>   domain search 'cairo.'
Aug 28 04:01:08 snort dbus[580]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Aug 28 04:01:08 snort dbus-daemon: dbus[580]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Aug 28 04:01:08 snort systemd: Starting Network Manager Script Dispatcher Service...
Aug 28 04:01:08 snort dbus-daemon: dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Aug 28 04:01:08 snort dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Aug 28 04:01:08 snort systemd: Started Network Manager Script Dispatcher Service.
Aug 28 05:01:01 snort systemd: Starting Session 15 of user root.
Aug 28 05:01:01 snort systemd: Started Session 15 of user root.
Aug 28 06:01:01 snort systemd: Starting Session 16 of user root.
Aug 28 06:01:01 snort systemd: Started Session 16 of user root.
Aug 28 07:01:01 snort systemd: Starting Session 17 of user root.
Aug 28 07:01:01 snort systemd: Started Session 17 of user root.
Aug 28 08:01:01 snort systemd: Starting Session 18 of user root.
Aug 28 08:01:01 snort systemd: Started Session 18 of user root.
Aug 28 09:01:01 snort systemd: Starting Session 19 of user root.
Aug 28 09:01:01 snort systemd: Started Session 19 of user root.
Aug 28 09:38:07 snort dhclient[1061]: DHCPREQUEST on enp0s3 to 172.16.0.11 port 67 (xid=0x473f73dc)
Aug 28 09:38:07 snort NetworkManager: DHCPREQUEST on enp0s3 to 172.16.0.11 port 67 (xid=0x473f73dc)
Aug 28 09:38:07 snort dhclient[1061]: DHCPACK from 172.16.0.11 (xid=0x473f73dc)
Aug 28 09:38:07 snort NetworkManager: DHCPACK from 172.16.0.11 (xid=0x473f73dc)
Aug 28 09:38:07 snort dhclient[1061]: bound to 172.16.1.157 -- renewal in 21474 seconds.
Aug 28 09:38:07 snort NetworkManager[690]: <info> (enp0s3): DHCPv4 state changed renew -> renew
Aug 28 09:38:07 snort NetworkManager[690]: <info>   address 172.16.1.157
Aug 28 09:38:07 snort NetworkManager[690]: <info>   plen 22 (255.255.252.0)
Aug 28 09:38:07 snort NetworkManager[690]: <info>   gateway 172.16.0.1
Aug 28 09:38:07 snort NetworkManager[690]: <info>   server identifier 172.16.0.11
Aug 28 09:38:07 snort NetworkManager[690]: <info>   lease time 43200
Aug 28 09:38:07 snort NetworkManager[690]: <info>   nameserver '172.16.0.11'
Aug 28 09:38:07 snort NetworkManager[690]: <info>   nameserver '172.16.0.15'
Aug 28 09:38:07 snort NetworkManager[690]: <info>   domain name 'uk. domain.com'
Aug 28 09:38:07 snort NetworkManager[690]: <info>   domain search 'uk. domain.com.'
Aug 28 09:38:07 snort NetworkManager: bound to 172.16.1.157 -- renewal in 21474 seconds.
Aug 28 09:38:07 snort NetworkManager[690]: <info>   domain search ' domain.com.'
Aug 28 09:38:07 snort NetworkManager[690]: <info>   domain search 'usa. domain.com.'
Aug 28 09:38:07 snort NetworkManager[690]: <info>   domain search 'houston.'
Aug 28 09:38:07 snort NetworkManager[690]: <info>   domain search 'cairo.'
Aug 28 09:38:07 snort dbus[580]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Aug 28 09:38:07 snort dbus-daemon: dbus[580]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Aug 28 09:38:07 snort systemd: Starting Network Manager Script Dispatcher Service...
Aug 28 09:38:07 snort dbus-daemon: dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Aug 28 09:38:07 snort dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Aug 28 09:38:07 snort systemd: Started Network Manager Script Dispatcher Service.
Aug 28 10:01:01 snort systemd: Starting Session 20 of user root.
Aug 28 10:01:01 snort systemd: Started Session 20 of user root.







/var/log/snort/alert is empty
/var/log/snort/snort.log.1409158229 is empty

How do I capture all network traffic?



-----Original Message-----
From: waldo kitty [mailto:wkitty42 at ...14940...]
Sent: 28 August 2014 05:03
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] installation help

On 8/27/2014 12:52 PM, Sharif Uddin wrote:
> When I check status I get following
>
>                                  [root at ...2306... bin]# ./snort status

"status" is not a valid snort option... it sounds like a startup script option for a script with the same name as the snort binary... i suggest "which snort"
to find out what you are running and to see if it is actually what you think you are running ;)

--
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF.




More information about the Snort-users mailing list