Snort mailing list archives

Great news! Snort not logging to the /var/log/snort/aler tfile

From: "Alan" <ids () san rr com>
Date: Thu, 25 Mar 2004 01:30:21 -0800
Everyone-


I have some great news! :)

1. I found out where my alerts are going.
2. I got Swatch to work!

Ok. I was browsing my /var/log/messages file and found out that the alerts
are being written to this file. Here is an output of my /var/log/messages
file:

Mar 24 23:15:31 wsip-68-224-172-110 snort: Initializing daemon mode
Mar 24 23:15:31 wsip-68-224-172-110 snort: SNORT is up and running!
Mar 24 23:15:31 wsip-68-224-172-110 snort: .
Mar 24 23:15:31 wsip-68-224-172-110 rc: Starting snort:  succeeded
Mar 24 23:15:31 wsip-68-224-172-110 snort: PID path stat checked out ok, PID
path set to /var/run/
Mar 24 23:15:31 wsip-68-224-172-110 snort: Writing PID "4023" to file
"/var/run//snort_eth0.pid"
Mar 24 23:15:31 wsip-68-224-172-110 snort: ,-----------[Flow
Config]----------------------
Mar 24 23:15:31 wsip-68-224-172-110 snort: | Stats Interval:  0
Mar 24 23:15:31 wsip-68-224-172-110 snort: | Hash Method:     2
Mar 24 23:15:31 wsip-68-224-172-110 snort: | Memcap:          10485760
Mar 24 23:15:31 wsip-68-224-172-110 snort: | Rows  :          4099
Mar 24 23:15:31 wsip-68-224-172-110 snort: | Overhead Bytes:  16400(%0.16)
Mar 24 23:15:31 wsip-68-224-172-110 snort:
`----------------------------------------------
Mar 24 23:15:31 wsip-68-224-172-110 snort: rpc_decode arguments:
Mar 24 23:15:31 wsip-68-224-172-110 snort:     Ports to decode RPC on: 111
32771
Mar 24 23:15:31 wsip-68-224-172-110 snort:     alert_fragments: INACTIVE
Mar 24 23:15:31 wsip-68-224-172-110 snort:     alert_large_fragments: ACTIVE
Mar 24 23:15:31 wsip-68-224-172-110 snort:     alert_incomplete: ACTIVE
Mar 24 23:15:31 wsip-68-224-172-110 snort:     alert_multiple_requests:
ACTIVE
Mar 24 23:15:31 wsip-68-224-172-110 snort: telnet_decode arguments:
Mar 24 23:15:31 wsip-68-224-172-110 snort:     Ports to decode telnet on: 21
23 25 119
Mar 24 23:15:32 wsip-68-224-172-110 snort: Snort initialization completed
successfully
Mar 24 23:15:47 wsip-68-224-172-110 sshd(pam_unix)[4033]: session opened for
user root by (uid=0)
Mar 24 23:17:04 wsip-68-224-172-110 snort: [1:1418:3] SNMP request tcp
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
**.**.***.**:2873 -> **.***.***.***:161
Mar 24 23:17:04 wsip-68-224-172-110 snort: [1:1417:2] SNMP request udp
[Classification: Attempted Information Leak] [Priority: 2]: {UDP}
**.**.***.**:2874 -> **.***.***.***:161
Mar 24 23:17:04 wsip-68-224-172-110 snort: [1:1420:3] SNMP trap tcp
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
**.**.***.**:2875 -> **.***.***.***:162
Mar 24 23:19:16 wsip-68-224-172-110 snort: [1:1421:3] SNMP AgentX/tcp
request [Classification: Attempted Information Leak] [Priority: 2]: {TCP}
**.**.***.**:3796 -> **.***.***.***:705
Mar 24 23:19:17 wsip-68-224-172-110 last message repeated 2 times
Mar 24 23:58:41 wsip-68-224-172-110 snort: [1:2003:2] MS-SQL Worm
propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP}
**.***.***.**:1042 -> **.***.***.***:1434
Mar 25 00:27:23 wsip-68-224-172-110 snort: [1:1070:6] WEB-MISC WebDAV search
access [Classification: access to a potentially vulnerable web application]
[Priority: 2]: {TCP} **.***.***.***:4168 -> **.***.***.***:80
Mar 25 00:31:14 wsip-68-224-172-110 kernel: application bug: swatch(4095)
has SIGCHLD set to SIG_IGN but calls wait().
Mar 25 00:31:14 wsip-68-224-172-110 kernel: (see the NOTES section of 'man 2
wait'). Workaround activated.

When I pointed Swatch to monitor this file with this command: swatch -c
/root/.swatchrc -t /var/log/messages
it started to email me alerts! I'm so happy! :)

It looks to me (I could be wrong) that it isn't a permission issue but Snort
logging to the /var/log/messages log.  So my next question is how do I tell
Snort to start logging in the /var/log/snort/alert file? I don't remember
during installation that I ever set that. I also checked my snort.conf file.
This is what I have for the ouput pluggin:

 output alert_syslog: LOG_AUTH LOG_ALERT

I thought this by default would tell Snort to log to the
/var/log/snort/alert file. Is there something else I need to do?

Also this concerns me about Swatch:

Mar 25 00:31:14 wsip-68-224-172-110 kernel: application bug: swatch(4095)
has SIGCHLD set to SIG_IGN but calls wait().
Mar 25 00:31:14 wsip-68-224-172-110 kernel: (see the NOTES section of 'man 2
wait'). Workaround activated.

Does anybody know what this error means?


Everyone I really appreciate your help in all of this. I've learned so much
in the past few days. Thanks again!


Alan

----- Original Message ----- 
From: "Jim Hendrick" <jrhendri () maine rr com>
To: <ids () san rr com>
Cc: <snort-users () lists sourceforge net>
Sent: Wednesday, March 24, 2004 6:42 PM
Subject: RE: RE: [Snort-users] Snort not logging to the
/var/log/snort/alertfile


Hmmm. Not sure about the swatch stuff, but you should not have to rebuild
snort at all.

I would first check a couple of basic things like:
Is there any snort process still running? (using ps -aef | grep snort)
Is the /var/log/snort/ partition full? (using df -k /var/log/snort)
Does root have write permission in there (using sudo touch
/var/log/snort/foo and seeing if "foo" is created)

You should be fine with permissions someting like this:

[hendrick@vall snort]$ ls -ald /var/log/snort
drwxr-xr-x  3827 root     root        90112 Mar 24 21:15 /var/log/snort
[hendrick@vall snort]$ ls -al /var/log/snort/alert
-rw-------    1 root     root        33210 Mar 24 21:15 /var/log/snort/alert
[hendrick@vall snort]$

If this looks OK but starting a new snort refuses to write to
/var/log/snort/alert (I'm not sure why not at that point)
you could try asking it to write somewhere else

sudo mkdir /tmp/snortlogs
sudo snort -A Full -l /tmp/snortlogs

and see if it creates a /tmp/snortlogs/alert file.
If it does this OK, then something really wierd (that's a technical term :-)
has happened, and the filesystem won't let snort create one in that
directory (although I've never seen that happen...yet)

In that case, you might try asking if any process thinks it has that file
open:

[hendrick@vall snort]$ sudo fuser -v /var/log/snort/alert

                     USER        PID ACCESS COMMAND
/var/log/snort/alert root      18246 f....  snort

in this case, this snows my normally running snort process.

Or else you could be more general with fuser, asking it if any processes
have files open in the /var/log/snort directory:

[hendrick@vall hendrick]$ sudo fuser -av /var/log/snort

                     USER        PID ACCESS COMMAND
/var/log/snort       root      18246 ..c..  snort
                     root      18251 ..c..  snort
[hendrick@vall hendrick]$


Note that fuser will also allow you to send a signal to that process also
(man fuser for more options)
although once you have the PID, you can "sudo kill 18246" or whatever the
PID is.
Note that you should always try a normal "kill" first (it sends a SIGTERM to
the process)
but if this does not make it go away, try a "kill -9" or which sends a
SIGKILL that cannot be trapped by the running program and *should* kill it.


Now I really hate to even mention this, (it not being a Windows box and
all...) but it is *very remotely* possible that a reboot would be rquired to
clean this up (I have on *very* rare occasions seen times when even fuser
would not easily free up a stubborn process/filehandle)

But I am reasonably confident that either you have a directory permissions
thing, or that there is something causing problems with that filehandle and
you should be past the problem soon.

Hope this helps.

Jim





-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Re: Snort not logging to the /var/log/snort/alert file ids (Mar 24)
- RE: Snort not logging to the /var/log/snort/alert file Jim Hendrick (Mar 24)
- Re: Snort not logging to the /var/log/snort/alert file Christopher Cramer (Mar 25)
- <Possible follow-ups>
- Re: RE: Snort not logging to the /var/log/snort/alert file ids (Mar 24)
  - RE: RE: Snort not logging to the /var/log/snort/alertfile Jim Hendrick (Mar 24)
    - Great news! Snort not logging to the /var/log/snort/aler tfile Alan (Mar 25)
    - RE: Great news! Snort not logging to the /var/log/snort/aler tfile Jim Hendrick (Mar 25)
  - Re: RE: Snort not logging to the /var/log/snort/alert file twig les (Mar 24)