Snort mailing list archives
Great news! Snort not logging to the /var/log/snort/aler tfile
From: "Alan" <ids () san rr com>
Date: Thu, 25 Mar 2004 01:30:21 -0800
Everyone- I have some great news! :) 1. I found out where my alerts are going. 2. I got Swatch to work! Ok. I was browsing my /var/log/messages file and found out that the alerts are being written to this file. Here is an output of my /var/log/messages file: Mar 24 23:15:31 wsip-68-224-172-110 snort: Initializing daemon mode Mar 24 23:15:31 wsip-68-224-172-110 snort: SNORT is up and running! Mar 24 23:15:31 wsip-68-224-172-110 snort: . Mar 24 23:15:31 wsip-68-224-172-110 rc: Starting snort: succeeded Mar 24 23:15:31 wsip-68-224-172-110 snort: PID path stat checked out ok, PID path set to /var/run/ Mar 24 23:15:31 wsip-68-224-172-110 snort: Writing PID "4023" to file "/var/run//snort_eth0.pid" Mar 24 23:15:31 wsip-68-224-172-110 snort: ,-----------[Flow Config]---------------------- Mar 24 23:15:31 wsip-68-224-172-110 snort: | Stats Interval: 0 Mar 24 23:15:31 wsip-68-224-172-110 snort: | Hash Method: 2 Mar 24 23:15:31 wsip-68-224-172-110 snort: | Memcap: 10485760 Mar 24 23:15:31 wsip-68-224-172-110 snort: | Rows : 4099 Mar 24 23:15:31 wsip-68-224-172-110 snort: | Overhead Bytes: 16400(%0.16) Mar 24 23:15:31 wsip-68-224-172-110 snort: `---------------------------------------------- Mar 24 23:15:31 wsip-68-224-172-110 snort: rpc_decode arguments: Mar 24 23:15:31 wsip-68-224-172-110 snort: Ports to decode RPC on: 111 32771 Mar 24 23:15:31 wsip-68-224-172-110 snort: alert_fragments: INACTIVE Mar 24 23:15:31 wsip-68-224-172-110 snort: alert_large_fragments: ACTIVE Mar 24 23:15:31 wsip-68-224-172-110 snort: alert_incomplete: ACTIVE Mar 24 23:15:31 wsip-68-224-172-110 snort: alert_multiple_requests: ACTIVE Mar 24 23:15:31 wsip-68-224-172-110 snort: telnet_decode arguments: Mar 24 23:15:31 wsip-68-224-172-110 snort: Ports to decode telnet on: 21 23 25 119 Mar 24 23:15:32 wsip-68-224-172-110 snort: Snort initialization completed successfully Mar 24 23:15:47 wsip-68-224-172-110 sshd(pam_unix)[4033]: session opened for user root by (uid=0) Mar 24 23:17:04 wsip-68-224-172-110 snort: [1:1418:3] SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2]: {TCP} **.**.***.**:2873 -> **.***.***.***:161 Mar 24 23:17:04 wsip-68-224-172-110 snort: [1:1417:2] SNMP request udp [Classification: Attempted Information Leak] [Priority: 2]: {UDP} **.**.***.**:2874 -> **.***.***.***:161 Mar 24 23:17:04 wsip-68-224-172-110 snort: [1:1420:3] SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2]: {TCP} **.**.***.**:2875 -> **.***.***.***:162 Mar 24 23:19:16 wsip-68-224-172-110 snort: [1:1421:3] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} **.**.***.**:3796 -> **.***.***.***:705 Mar 24 23:19:17 wsip-68-224-172-110 last message repeated 2 times Mar 24 23:58:41 wsip-68-224-172-110 snort: [1:2003:2] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} **.***.***.**:1042 -> **.***.***.***:1434 Mar 25 00:27:23 wsip-68-224-172-110 snort: [1:1070:6] WEB-MISC WebDAV search access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} **.***.***.***:4168 -> **.***.***.***:80 Mar 25 00:31:14 wsip-68-224-172-110 kernel: application bug: swatch(4095) has SIGCHLD set to SIG_IGN but calls wait(). Mar 25 00:31:14 wsip-68-224-172-110 kernel: (see the NOTES section of 'man 2 wait'). Workaround activated. When I pointed Swatch to monitor this file with this command: swatch -c /root/.swatchrc -t /var/log/messages it started to email me alerts! I'm so happy! :) It looks to me (I could be wrong) that it isn't a permission issue but Snort logging to the /var/log/messages log. So my next question is how do I tell Snort to start logging in the /var/log/snort/alert file? I don't remember during installation that I ever set that. I also checked my snort.conf file. This is what I have for the ouput pluggin: output alert_syslog: LOG_AUTH LOG_ALERT I thought this by default would tell Snort to log to the /var/log/snort/alert file. Is there something else I need to do? Also this concerns me about Swatch: Mar 25 00:31:14 wsip-68-224-172-110 kernel: application bug: swatch(4095) has SIGCHLD set to SIG_IGN but calls wait(). Mar 25 00:31:14 wsip-68-224-172-110 kernel: (see the NOTES section of 'man 2 wait'). Workaround activated. Does anybody know what this error means? Everyone I really appreciate your help in all of this. I've learned so much in the past few days. Thanks again! Alan ----- Original Message ----- From: "Jim Hendrick" <jrhendri () maine rr com> To: <ids () san rr com> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, March 24, 2004 6:42 PM Subject: RE: RE: [Snort-users] Snort not logging to the /var/log/snort/alertfile Hmmm. Not sure about the swatch stuff, but you should not have to rebuild snort at all. I would first check a couple of basic things like: Is there any snort process still running? (using ps -aef | grep snort) Is the /var/log/snort/ partition full? (using df -k /var/log/snort) Does root have write permission in there (using sudo touch /var/log/snort/foo and seeing if "foo" is created) You should be fine with permissions someting like this: [hendrick@vall snort]$ ls -ald /var/log/snort drwxr-xr-x 3827 root root 90112 Mar 24 21:15 /var/log/snort [hendrick@vall snort]$ ls -al /var/log/snort/alert -rw------- 1 root root 33210 Mar 24 21:15 /var/log/snort/alert [hendrick@vall snort]$ If this looks OK but starting a new snort refuses to write to /var/log/snort/alert (I'm not sure why not at that point) you could try asking it to write somewhere else sudo mkdir /tmp/snortlogs sudo snort -A Full -l /tmp/snortlogs and see if it creates a /tmp/snortlogs/alert file. If it does this OK, then something really wierd (that's a technical term :-) has happened, and the filesystem won't let snort create one in that directory (although I've never seen that happen...yet) In that case, you might try asking if any process thinks it has that file open: [hendrick@vall snort]$ sudo fuser -v /var/log/snort/alert USER PID ACCESS COMMAND /var/log/snort/alert root 18246 f.... snort in this case, this snows my normally running snort process. Or else you could be more general with fuser, asking it if any processes have files open in the /var/log/snort directory: [hendrick@vall hendrick]$ sudo fuser -av /var/log/snort USER PID ACCESS COMMAND /var/log/snort root 18246 ..c.. snort root 18251 ..c.. snort [hendrick@vall hendrick]$ Note that fuser will also allow you to send a signal to that process also (man fuser for more options) although once you have the PID, you can "sudo kill 18246" or whatever the PID is. Note that you should always try a normal "kill" first (it sends a SIGTERM to the process) but if this does not make it go away, try a "kill -9" or which sends a SIGKILL that cannot be trapped by the running program and *should* kill it. Now I really hate to even mention this, (it not being a Windows box and all...) but it is *very remotely* possible that a reboot would be rquired to clean this up (I have on *very* rare occasions seen times when even fuser would not easily free up a stubborn process/filehandle) But I am reasonably confident that either you have a directory permissions thing, or that there is something causing problems with that filehandle and you should be past the problem soon. Hope this helps. Jim ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort not logging to the /var/log/snort/alert file ids (Mar 24)
- RE: Snort not logging to the /var/log/snort/alert file Jim Hendrick (Mar 24)
- Re: Snort not logging to the /var/log/snort/alert file Christopher Cramer (Mar 25)
- <Possible follow-ups>
- Re: RE: Snort not logging to the /var/log/snort/alert file ids (Mar 24)
- RE: RE: Snort not logging to the /var/log/snort/alertfile Jim Hendrick (Mar 24)
- Great news! Snort not logging to the /var/log/snort/aler tfile Alan (Mar 25)
- RE: Great news! Snort not logging to the /var/log/snort/aler tfile Jim Hendrick (Mar 25)
- RE: RE: Snort not logging to the /var/log/snort/alertfile Jim Hendrick (Mar 24)
- Re: RE: Snort not logging to the /var/log/snort/alert file twig les (Mar 24)