[Snort-users] Snort Alert is Not Producing Any Timestamp

Jan Hugo Prins jhp at jhprins.org
Thu Jan 17 06:33:12 EST 2019


Hello,

Did anyone find the cause of this issue? I might have the same issue.

Startup command:

snort --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf
-l /var/log/snort/instance-1 --daq-dir=/usr/local/lib/daq --daq
pfring_zc --daq-mode passive -i zc:0 at 2 --daq-var clusterid=0 --daq-var
bindcpu=2

Version:

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.12 GRE (Build 325)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/contact#team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All
rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

I use pf_ring zc behind a fiber tap.

Bro is running on a second copy of the same packets, and is properly
adding timestamps to all registered connections / packets.


Jan Hugo Prins



On 7/3/17 4:58 PM, Dimz via Snort-users wrote:
> Hi,
>
> I create an autostart script:
> /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -Q
> -D -m 120
>
> This is the snort version:
> dimz at ubuntu:/var/log/snort$ snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.9.0 GRE (Build 56)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/contact#team
>            Copyright (C) 2014-2016 Cisco and/or its affiliates. All
> rights reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.7.4
>            Using PCRE version: 8.40 2017-01-11
>            Using ZLIB version: 1.2.8
>
> Thanks,
>
> -Dimz-
>
>
>
> On Monday, July 3, 2017, 9:52:52 PM GMT+7, Al Lewis (allewi)
> <allewi at cisco.com> wrote:
>
>
> Hello,
>
> What command are you using to start snort?
>
> What version of snort are you using?
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> Email: allewi at cisco.com <mailto:allewi at cisco.com>
>
> From: Snort-users <snort-users-bounces at lists.snort.org
> <mailto:snort-users-bounces at lists.snort.org>> on behalf of Dimz via
> Snort-users <snort-users at lists.snort.org
> <mailto:snort-users at lists.snort.org>>
> Reply-To: Dimz <dimas_forever at yahoo.com <mailto:dimas_forever at yahoo.com>>
> Date: Monday, July 3, 2017 at 6:57 AM
> To: "snort-users at lists.snort.org <mailto:snort-users at lists.snort.org>"
> <snort-users at lists.snort.org <mailto:snort-users at lists.snort.org>>
> Subject: [Snort-users] Snort Alert is Not Producing Any Timestamp
>
> Hi Everybody,
>
> I installed my snort 2.9 on Ubuntu server 16.04 on my VM. I installed
> my snort inline using NFQ from the following guide:
> http://sublimerobots.com/2017/06/snort-ips-with-nfq-routing-on-ubuntu/
>
> The installation and the routing is successful, the ubuntu can forward
> packets and the snort can detect traffics. The only problem is, the
> alerts generated has no timestamp.
>
> Attached is the snort --daq-list
> dimz at ubuntu:/var/log/snort$ snort --daq-list
> Available DAQ modules:
> pcap(v3): readback live multi unpriv
> nfq(v7): live inline multi
> ipfw(v3): live inline multi unpriv
> dump(v3): readback live inline multi unpriv
> afpacket(v5): live inline multi unpriv 
>
> The snort.conf:
> config daq: nfq
> config daq_dir: /usr/local/lib/daq
> config daq_mode: inline
> config daq_var: queue=4 
>
> The iptables:
> dimz at ubuntu:/var/log/snort$ sudo iptables -vL
> Chain INPUT (policy ACCEPT 2149 packets, 164K bytes)
> pkts bytes target     prot opt in     out     source              
> destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source              
> destination
>    16  1514 NFQUEUE    all  --  any    any     anywhere            
> anywhere             NFQUEUE num 4 bypass
>
> Chain OUTPUT (policy ACCEPT 2046 packets, 173K bytes)
> pkts bytes target     prot opt in     out     source              
> destination 
>
> The NAT iptables (for port forwarding a web server behind Snort machine):
> dimz at ubuntu:/var/log/snort$ sudo iptables -vL -t nat
> Chain PREROUTING (policy ACCEPT 61 packets, 5536 bytes)
> pkts bytes target     prot opt in     out     source              
> destination
>     0     0 DNAT       tcp  --  any    any     anywhere            
> anywhere             tcp dpt:http-alt to:192.168.2.103:8080
>
> Chain INPUT (policy ACCEPT 10 packets, 1888 bytes)
> pkts bytes target     prot opt in     out     source              
> destination
>
> Chain OUTPUT (policy ACCEPT 484 packets, 30252 bytes)
> pkts bytes target     prot opt in     out     source              
> destination
>
> Chain POSTROUTING (policy ACCEPT 485 packets, 30336 bytes)
> pkts bytes target     prot opt in     out     source              
> destination
>     2   202 MASQUERADE  all  --  any    ens33   anywhere            
> anywhere 
>
> The server epoch time:
> dimz at ubuntu:/var/log/snort$ date +'%s'
> 1499079069
>
> result from tcpdump (the timestamp is correct):
> dimz at ubuntu:/var/log/snort$ sudo tcpdump -i ens33 dst host 192.168.2.103
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on ens33, link-type EN10MB (Ethernet), capture size 262144
> bytes
> 17:51:58.297893 IP 192.168.174.129 > 192.168.2.103: ICMP echo request,
> id 2379, seq 1, length 64
> 17:51:59.300042 IP 192.168.174.129 > 192.168.2.103: ICMP echo request,
> id 2379, seq 2, length 64
> 17:52:00.304461 IP 192.168.174.129 > 192.168.2.103: ICMP echo request,
> id 2379, seq 3, length 64
> 17:52:01.305757 IP 192.168.174.129 > 192.168.2.103: ICMP echo request,
> id 2379, seq 4, length 64 
>
> I output my snort alert into 2 outputs: alert.full and snort.u2. Here
> is the output from alert.full (I create a simple Ping Detection Rule):
> dimz at ubuntu:/var/log/snort$ tail -f alert.full
> *01/01-07:00:00.000000 *192.168.174.129 -> 192.168.2.103
> ICMP TTL:63 TOS:0x0 ID:17418 IpLen:20 DgmLen:84 DF
> Type:8  Code:0  ID:2379   Seq:3  ECHO
>
> [**] [1:10000001:1] ICMP Test Detected [**]
> [Classification: Generic ICMP event] [Priority: 3]
> *01/01-07:00:00.000000* 192.168.174.129 -> 192.168.2.103
> ICMP TTL:63 TOS:0x0 ID:17470 IpLen:20 DgmLen:84 DF
> Type:8  Code:0  ID:2379   Seq:4  ECHO 
>
> Here is the output from snort.u2:
> (Event)
>         sensor id: 0    event id: 7     event second: 0 event
> microsecond: 0
>         sig id: 10000001        gen id: 1       revision:
> 1      classification: 31
>         priority: 3     ip source: 192.168.174.129      ip
> destination: 192.168.2.103
>         src port: 8     dest port: 0    protocol: 1     impact_flag:
> 0  blocked: 0
>
> Packet
>         sensor id: 0    event id: 7     event second: 0
>         packet second: 0        packet microsecond: 0
>         linktype: 228   packet_length: 84
> [    0] 45 00 00 54 44 3E 40 00 3F 01 C5 31 C0 A8 AE 81  E..TD>@.?..1....
> [   16] C0 A8 02 67 08 00 2E 91 09 4B 00 04 6E 21 5A 59  ...g.....K..n!ZY
> [   32] 00 00 00 00 33 D2 05 00 00 00 00 00 10 11 12 13  ....3...........
> [   48] 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23  ............ !"#
> [   64] 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33  $%&'()*+,-./0123
> [   80] 34 35 36 37                                      4567 
>
>
> Why timestamp is not detected???
>
> Need Help please.
> I have been dealing with this issue for days, and I have been trying
> to do intensive google search to find similar issue but still no luck.
>
> Thank you very much.
>
> -Dimz-
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190117/1a8a7bc1/attachment.html>


More information about the Snort-users mailing list