[Snort-users] Snort won't generate alerts with single snort.rules file

Anacleto Junior suporte.anacleto at ...11827...
Thu Mar 6 09:23:28 EST 2014


2014-02-28 16:22 GMT-03:00 SnortFan <SnortFan at ...131...>:

> Can you try:
>
> tcpdump -i eth1
>
> To see if your getting traffic on that interface.
>

I'm getting traffic on that interface..
11:10:12.293579 IP xxx.xxx.xxx.xxx.xxxx > xxx.xxx.xxx.xxx.xxx: Flags [.],
ack 15841, win 16384, options [nop,nop,TS val 4252367761 ecr 3835930989],
length 0
[...]



> Also in your /etc/snort/rules/
>
> grep -v '#' snort.rules | grep -v '^$' | wc -l
>
> And see if that's close to the number if rules reported in:
>
> cat /var/log/message | snort
>
> When you restart snort.
>
> Cheers,
> Ed
>
> Sent from a mobile device.
>


Hmm...

When I run snort, I get this:
 4559 Snort rules read

But with the command you suggested:

grep -v '#' /etc/snort/rules/snort.rules | grep -v '^$' | wc -l
4479

So the rules aren't loaded when I run snort? How can I proceed?


2014-02-28 16:22 GMT-03:00 SnortFan <SnortFan at ...131...>:

> Can you try:
>
> tcpdump -i eth1
>
> To see if your getting traffic on that interface.
>
> Also in your /etc/snort/rules/
>
> grep -v '#' snort.rules | grep -v '^$' | wc -l
>
> And see if that's close to the number if rules reported in:
>
> cat /var/log/message | snort
>
> When you restart snort.
>
> Cheers,
> Ed
>
> Sent from a mobile device.
>
> On Feb 28, 2014, at 12:19 PM, Anacleto Junior <suporte.anacleto at ...14459.....>
> wrote:
>
> Hi everyone,
>
> Sorry for the poor english but I will try my best. I will describe my
> problems after upgrading Snort rules.
>
> Debian Linux 6.0.8 (kernel 2.6.32-5 x86_64)
> Snort version: Version 2.9.6.0 GRE (Build 47)
> Snort rules version: 2.9.6.0
> pulledpork 0.7.0
> barnyard2 2.1.13 build 327
>
> I was using Snort v.2.9.5.6 with snortrules-snapshot-2956 for a good time.
> I have upgraded to the latest version available and some issues occurred.
> If this is not the right place for asking, sorry for this. I will
> appreciate if someone can point me the right place to ask.
>
> When I run snort with this command:
>
> /usr/local/bin/snort -A console -u snort -g snort -c
> /etc/snort/eth1/snort_eth1.conf -i eth1
>
> I can't get alerts and none events are registered. This is the output
> after I finish him (ctrl+c):
>
> I got some errors like:
> WARNING: /etc/snort/rules/snort.rules(15678) GID 1 SID 24017 in rule
> duplicates previous rule. Ignoring old rule.
>
> But it moves on...
>
> 4539 Snort rules read (so I assume it is reading the
>     4208 detection rules
>     0 decoder rules
>     4 preprocessor rules
> 4212 Option Chains linked into 185 Chain Headers
> 0 Dynamic rules
>
>
> Snort ran for 0 days 0 hours 3 minutes 10 seconds
>    Pkts/min:        39481
>    Pkts/sec:          623
>
> Packet I/O Totals:
>    Received:       118443
>    Analyzed:       118443 (100.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:            0
>
> Breakdown by protocol (includes rebuilt packets):
>         Eth:       118567 (100.000%)
>        VLAN:            0 (  0.000%)
>         IP4:       118567 (100.000%)
>        Frag:            0 (  0.000%)
>        ICMP:          411 (  0.347%)
>         UDP:         4682 (  3.949%)
>         TCP:       111664 ( 94.178%)
>
> Here's the problem, this is the info that got me concerned:
>
> ===============================================================================
>
>
>
> *Action Stats:     Alerts:            0 (  0.000%)     Logged:
> 0 (  0.000%)     Passed:            0 (  0.000%)*
> Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>       Event:            0
>       Alert:            0
> Verdicts:
>       Allow:        82225 ( 69.422%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:        36218 ( 30.578%)
>   Blacklist:            0 (  0.000%)
>      Ignore:            0 (  0.000%)
>
>
> All of this traffic was not even registered. I think that I was supposed
> to get some alerts because of having a single file with all rules
> (pulledpork rule management). Isn't suppose to activate all rules by
> default?
>
> This is my snort.conf file:
> http://pastebin.com/YWABcKsF
>
>
> Thanks in advance.
>
>
> --
> Anacleto Júnior
> Analista de TI e Redes
> Linux User: #447388
>
>
> ------------------------------------------------------------------------------
> Flow-based real-time traffic analytics software. Cisco certified tool.
> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
> Customize your own dashboards, set traffic alerts and generate reports.
> Network behavioral analysis & security monitoring. All-in-one tool.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>


-- 
Anacleto Júnior
Analista de TI e Redes
Linux User: #447388
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140306/d7eb9b8b/attachment.html>


More information about the Snort-users mailing list