Re: Test Snort

[Tony Robinson <deusexmachina667 () gmail com>]

Hey Marcio,

I build a shell script called Autosnort around this install guide. So
here's a couple of questions that may help you troubleshoot your deployment:

1) Where is your sensor deployed? are you giving snort traffic off of a
span or tap? Have you ran /usr/local/snort/bin/snort -i [your sensing
interface] to verify snort is seeing traffic? If you the text "commencing
packet processing" followed by no further messages, either the span/tap
isn't forward traffic to the interface properly, or the interface is set up
properly. I didnt' see anywhere in the install guide where you had to
configure the physical interface for promiscuous mode, but try doing so.
2) I'm assuming you've added snort and barnyard to rc.local per the install
guide. Have you ran ps -ef | grep snort to ensure snort and barnyard are
running?
3) I came to find in my tests that snort report wouldn't give me anything
until the machine was rebooted after configuring everything for one reason
or another. Have you rebooted your system since configuring everything per
the install guide?
4) Can you verify that srconf.php has the snort database user and password
set correctly?
5) Has barnyard2.conf been configured to log to the snort database and
given correct credentials to drop information into the database? Check the
output: log, mysql [user name, password, database name] to verify
6) does the snort user have permissions to do things to the snort database?
test by running: mysql -usnort -p[snort user password, no space between -p
and the actual password] snort -e "show tables;"  if this returns output
the snort user has rights to view data in the snort database.
7) are the unfied2 files growing in size? These files should be located in
/var/log/snort, should have the filename snort.u2.[epoch timestamp here].
Do an ls -al and confirm your snort unified files are not zero bytes in
size. If they are 0 bytes in size this indicates snort hasn't generated any
alerts off of your traffic.
8) verify what HOME and EXTERNAL_NET are set to in snort.conf. Try setting
both to "any" for testing purposes. Also try using backtrack or a system
running metasploit to attack a system snort has visibility on to generate
an alert or two.

hope this helps,

-Tony

On Thu, Aug 23, 2012 at 10:32 AM, Márcio Erli <marcioerli () gmail com> wrote:

> I configured snort based on the documentation link
> http://www.snort.org/assets/158/snortinstallguide293.pdf snort.org own
> site.
> Is not generating any alerts.
> How to test if this is working?
>
> Thankful, Marcio.
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!