Snort mailing list archives
Re: Log problems
From: honeybadger () q com
Date: Wed, 28 Nov 2012 13:49:10 -0700
I can't figure this one out... Anyone have an idea what to try? honeybadger () q com wrote:
Hey Ron, Though it was my test rule but it is something else... If I set up a test rule with tcp any any - > any any, but I get alerts and logging. If I set the rule more specifically like: any any - > 192.168.1.50 any, nothing is captured. I am pinging the test machine Tcpdump is showing traffic, trace route gets to the system fine. Steve Ron Sinclair <unixfool () gmail com> wrote:So, what were the issues? On Nov 27, 2012, at 3:53 PM, honeybadger () q com wrote:Paul, Thanks very much. Thanks to you and the others here, I managed to fix the issues andlearn a lot.Steve Paul Schmehl <pschmehl_lists () tx rr com> wrote: Here's how snort works when coupled with barnyard2 and mysql. Snort listens on a NIC and, when an alert is triggered, writes to a unified2 log file. So, step 1 in troubleshooting is to verify that the NIC is inpromiscuousmode. In general, if you run ifconfig, it should look like this forone ofthe NICs on the host: bce1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>metric 0mtu 1500 PROMISC means promiscuous mode. Step 2 is to verify that the NIC is seeing traffic. This can bedoneeasily by running tcpdump like this: tcpdump -i bce1 (on most Linuxboxesit will be eth0 or eth1) If you see traffic, you need to move on to verifying that snort isworking.Start snort in console mode with the Test switch - snort -T -c /path/to/snort/confile If there are any errors, they are usually self-explanatory. E.g.ipvar notfound, missing semi-colon on line 129 of snort.rulefile, etc. Fix all those errors until snort runs without errors. If it'sworkingcorrectly, you should see this at the end: Snort successfully validated the configuration! Snort exiting Once you have verified that 1) the NIC is listening and 2) the NICseestraffic and 3) snort runs without errors using your conf file, theonlything left is the rules files you're using. Remember, snort is an IDS. It's designed to look for specificsignatures.If none are seen, there will be no alerts. If you want to verify that snort will actually alert on something,thenwrite a simple test rule: alert tcp any any -> any any(msg:"Testing";rev:1; sid:1;). This will alert for ALL traffic, so if there's anytrafficat all and snort is working properly, your logfile will grow quite large very quickly. --On November 26, 2012 11:10:43 AM -0700 honeybadger () q com wrote: I have been trying to figure out log problems.... Since then you all are saying that BY2 was a red herring I am tryingtofind what is the problem in the snort.config file with no success. It looks like snort is starting ok, pulled pork is checking rulesanditsays it is running. But no output in /var/log. Any ideas all? -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.------------------------------------------------------------------------------Keep yourself connected to Go Parallel: DESIGN Expert tips on starting your parallel project right. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news! ------------------------------------------------------------------------ ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Sent from my Android phone with K-9 Mail. Please excuse my brevity. ------------------------------------------------------------------------ ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Log problems honeybadger (Nov 27)
- Re: Log problems waldo kitty (Nov 27)
- Re: Log problems Paul Schmehl (Nov 27)
- Re: Log problems honeybadger (Nov 27)
- Re: Log problems Ron Sinclair (Nov 27)
- Re: Log problems honeybadger (Nov 28)
- Re: Log problems waldo kitty (Nov 28)
- Re: Log problems honeybadger (Nov 28)
- Re: Log problems JJC (Nov 28)
- Re: Log problems Jeremy Hoel (Nov 28)
- Re: Log problems honeybadger (Nov 27)