Re: Log problems

[honeybadger () q com]

I can't figure this one out... 

Anyone have an idea what to try? 



honeybadger () q com wrote:

> Hey Ron, 
>
> Though it was my test rule but it is something else...
>
>
> If I set up a test rule with tcp any any - > any any, but I get alerts
> and logging. 
>
> If I set the rule more specifically like: any any - > 192.168.1.50 any,
> nothing is captured. I am pinging the test machine
>
> Tcpdump is showing traffic, trace route gets to the system fine. 
>
> Steve
>
> Ron Sinclair <unixfool () gmail com> wrote:
>
> > So, what were the issues?
> >
> >
> > On Nov 27, 2012, at 3:53 PM, honeybadger () q com wrote:
> >
> > > Paul, 
> > >
> > >
> > > Thanks very much. 
> > >
> > > Thanks to you and the others here, I managed to fix the issues and
> > learn a lot. 
> > > Steve
> > >
> > > Paul Schmehl <pschmehl_lists () tx rr com> wrote:
> > > Here's how snort works when coupled with barnyard2 and mysql.
> > >
> > > Snort listens on a NIC and, when an alert is triggered, writes to a 
> > > unified2 log file.
> > >
> > > So, step 1 in troubleshooting is to verify that the NIC is in
> > promiscuous 
> > > mode.  In general, if you run ifconfig, it should look like this for
> > one of 
> > > the NICs on the host:
> > > bce1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
> > metric 0 
> > > mtu 1500
> > >
> > > PROMISC means promiscuous mode.
> > >
> > > Step 2 is to verify that the NIC is seeing traffic.  This can be
> done
> > > easily by running tcpdump like this: tcpdump -i bce1 (on most Linux
> > boxes 
> > > it will be eth0 or eth1)
> > >
> > > If you see traffic, you need to move on to verifying that snort is
> > working.
> > > Start snort in console mode with the Test switch - snort -T -c 
> > > /path/to/snort/confile
> > >
> > > If there are any errors, they are usually self-explanatory.  E.g.
> > ipvar not 
> > > found, missing semi-colon on line 129 of snort.rulefile, etc.
> > >
> > > Fix all those errors until snort runs without errors.  If it's
> > working 
> > > correctly, you should see this at the end:
> > >
> > > Snort successfully validated the configuration!
> > > Snort exiting
> > >
> > > Once you have verified that 1) the NIC is listening and 2) the NIC
> > sees 
> > > traffic and 3) snort runs without errors using your conf file, the
> > only 
> > > thing left is the rules files you're using.
> > >
> > > Remember, snort is an IDS.  It's designed to look for specific
> > signatures. 
> > > If none are seen, there will be no alerts.
> > >
> > > If you want to verify that snort will actually alert on something,
> > then 
> > > write a simple test rule: alert tcp any any -> any any
> > (msg:"Testing"; 
> > > rev:1; sid:1;).  This will alert for ALL traffic, so if there's any
> > traffic 
> > > at all and snort is working properly, your
> > > logfile will grow quite large 
> > > very quickly.
> > >
> > >
> > >
> > >
> > >
> > > --On November 26, 2012 11:10:43 AM -0700 honeybadger () q com wrote:
> > >
> > > I have been trying to figure out log problems....
> > >
> > > Since then you all are saying that BY2 was a red herring I am trying
> > to
> > > find what is the problem in the snort.config file with no success.
> > >
> > > It looks like snort is starting ok, pulled pork is checking rules
> and
> > it
> > > says it is running.
> > >
> > > But no output in /var/log.
> > >
> > > Any ideas all?
> > >
> > >
> > >
> > > -- 
> > > Sent from my Android phone with K-9 Mail. Please excuse my brevity.
> > ------------------------------------------------------------------------------
> > > Keep yourself connected to Go Parallel: 
> > > DESIGN Expert tips on starting your parallel project right.
> > > http://goparallel.sourceforge.net
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> >
> >
> > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------------
> > Keep yourself connected to Go Parallel: 
> > INSIGHTS What's next for parallel hardware, programming and related
> > areas?
> > Interviews and blogs by thought leaders keep you ahead of the curve.
> > http://goparallel.sourceforge.net
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
> -- 
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Keep yourself connected to Go Parallel: 
> INSIGHTS What's next for parallel hardware, programming and related
> areas?
> Interviews and blogs by thought leaders keep you ahead of the curve.
> http://goparallel.sourceforge.net
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!